[DESCRIPTION]
Android O 版本 新增hal service 添加selinux policy 注意事项
[SOLUTION]
EX: vendor.mediatek.hardware.xxxxxx
1.hwservice.te
type mtk_hal_xxx_hwservice, hwservice_manager_type;
2-1.hwservice_contexts
vendor.mediatek.hardware.xxx::IXXX u:object_r:mtk_hal_xxx_hwservice:s0
2-2.file_contexts
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.xxx@1\.1-service u:object_r:mtk_hal_xxx_exec:s0
3.mtk_hal_xxx.te
type mtk_hal_xxx, domain; # Set a new domain called mtk_hal_xxx
hal_server_domain(mtk_hal_xxx, hal_xxx) # Set your domain as server domain of hal_xxx in which define by AOSP already
type mtk_hal_xxx_exec, exec_type, file_type, vendor_file_type; # Set your exec file type
init_daemon_domain(mtk_hal_xxx) # Setup for domain transition
#Every mtk_hal_xxx.te should follow as above, this is basic policy for every hal domain
add_hwservice(hal_xxx_server, mtk_hal_xxx_hwservice) # Associate your defined mtk hal hwservice with all server domain, in this case it is your domain
allow hal_xxx_client mtk_hal_xxx_hwservice :hwservice_manager find; #Give permission for your xxx hal client to find your new defined hwservice
#add your additional policy here
案例(mtk_hal_power)
1.
/device/mediatek/sepolicy/basic/non_plat/hwservice.te
type mtk_hal_power_hwservice, hwservice_manager_type;
2.
/device/mediatek/sepolicy/basic/non_plat/hwservice_contexts
vendor.mediatek.hardware.power::IPower u:object_r:mtk_hal_power_hwservice:s0
/device/mediatek/sepolicy/basic/non_plat/file_contexts
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.power@1\.1-service u:object_r:mtk_hal_power_exec:s0
3.
/device/mediatek/sepolicy/basic/non_plat/mtk_hal_power.te
type mtk_hal_power, domain; # Set a new domain called mtk_hal_xxx
type mtk_hal_power_exec, exec_type, file_type, vendor_file_type; # Set your exec file type
# hwbinder access
init_daemon_domain(mtk_hal_power) # Setup for domain transition
hwbinder_use(mtk_hal_power);
allow mtk_hal_power hwservicemanager_prop:file r_file_perms;
allow mtk_hal_power hal_power_hwservice:hwservice_manager { add find };
allow mtk_hal_power hidl_base_hwservice:hwservice_manager add;
add_hwservice(hal_power, mtk_hal_power_hwservice)# Associate your defined mtk hal hwservice with all server domain, in this case it is your domain
allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find;#Give permission for your xxx hal client to find your new defined hwservice
hal_server_domain(mtk_hal_power, hal_power); # Set your domain as server domain of hal_xxx in which define by AOSP already
...