From 031fe80418c781cc891b8e118b83986d8c2926c2 Mon Sep 17 00:00:00 2001
From: raylinhsu <raylinhsu@google.com>
Date: Tue, 16 Mar 2021 13:18:29 +0800
Subject: [PATCH] display: add sepolicy for hal_graphics_composer

Allow HWC to access vendor_log_file and also allow hwc to access
power hal

Bug: 181712799
Test: pts -m PtsSELinuxTest -t
com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: I403a528f651b9ee5755d11525f2a33c39628ecee
---
 .../gs101/hal_graphics_composer_default.te    |  4 ++++
 .../hal_graphics_composer_default.te          | 23 -------------------
 .../google/hal_graphics_composer_default.te   |  1 +
 3 files changed, 5 insertions(+), 23 deletions(-)
 delete mode 100644 tracking_denials/hal_graphics_composer_default.te

diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
index 5a607815..b5139133 100644
--- a/display/gs101/hal_graphics_composer_default.te
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -32,3 +32,7 @@ add_service(hal_graphics_composer_default, vendor_displaycolor_service)
 
 add_service(hal_graphics_composer_default, hal_pixel_display_service)
 binder_use(hal_graphics_composer_default)
+get_prop(hal_graphics_composer_default, boot_status_prop);
+
+# allow HWC to access vendor log file
+allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
deleted file mode 100644
index 3bc97c42..00000000
--- a/tracking_denials/hal_graphics_composer_default.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# b/181712799
-dontaudit hal_graphics_composer_default hal_power_default:binder { call };
-dontaudit hal_graphics_composer_default boot_status_prop:file { read };
-dontaudit hal_graphics_composer_default boot_status_prop:file { open };
-dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
-dontaudit hal_graphics_composer_default boot_status_prop:file { map };
-dontaudit hal_graphics_composer_default hal_power_default:binder { call };
-dontaudit hal_graphics_composer_default boot_status_prop:file { map };
-dontaudit hal_graphics_composer_default vendor_log_file:file { create };
-dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
-dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
-dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
-dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
-dontaudit hal_graphics_composer_default vendor_log_file:file { create };
-dontaudit hal_graphics_composer_default hal_power_service:service_manager { find };
-dontaudit hal_graphics_composer_default boot_status_prop:file { read };
-dontaudit hal_graphics_composer_default boot_status_prop:file { open };
-dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
-# b/181915065
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
-dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/whitechapel/vendor/google/hal_graphics_composer_default.te
index f1d97149..0562aa0e 100644
--- a/whitechapel/vendor/google/hal_graphics_composer_default.te
+++ b/whitechapel/vendor/google/hal_graphics_composer_default.te
@@ -3,3 +3,4 @@ allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
 
 # allow HWC to access power hal
 binder_call(hal_graphics_composer_default, hal_power_default);
+hal_client_domain(hal_graphics_composer_default, hal_power);