Merge "Add support for non-su hal_uwb" into sc-dev am: e99c749cbd

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/14928438

Change-Id: Ib43a3b2c888f48c70c6a71e117a8de04662f923a

whitechapel/vendor/google/hal_uwb.te

@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_uwb_client, hal_uwb_server)
+binder_call(hal_uwb_server, hal_uwb_client)
+
+hal_attribute_service(hal_uwb, hal_uwb_service)
+
+binder_call(hal_uwb_server, servicemanager)
+
+# allow hal_uwb to set wpan interfaces up and down
+allow hal_uwb self:udp_socket create_socket_perms;
+allowxperm hal_uwb self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+allow hal_uwb self:global_capability_class_set { net_admin };
+
+# allow hal_uwb to speak to nl802154 in the kernel
+allow hal_uwb self:netlink_generic_socket create_socket_perms_no_ioctl;

whitechapel/vendor/google/hal_uwb_default.te

@@ -3,3 +3,6 @@ type hal_uwb_default_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_uwb_default)
 
 add_service(hal_uwb_default, hal_uwb_service)
+
+hal_server_domain(hal_uwb_default, hal_uwb)
+binder_call(hal_uwb_default, uwb_vendor_app)

whitechapel/vendor/google/uwb_vendor_app.te

@@ -4,9 +4,15 @@ app_domain(uwb_vendor_app)
 
 add_service(uwb_vendor_app, uwb_vendor_service)
 
+not_recovery(`
+hal_client_domain(uwb_vendor_app, hal_uwb)
+
 allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_service:service_manager find;
 allow uwb_vendor_app nfc_service:service_manager find;
 
 allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
 allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
+
+binder_call(uwb_vendor_app, hal_uwb_default)
+')