Move Car Service to its own security domain

Before this change Car Service was running in system_app domain which
didn't allow us to have fine grain access control. For example, we had
to grant VHAL client access to all system apps, etc.

Also, make KitchenSink to run in the same security domain as Car Service
(it has direct access to VHAL for test / debug purpose)

Bug: 70637118
Test: m && emulator ; also verified on bat_land
Change-Id: I8d27ae280ef6badf3a10b71a6efa47e92987f255

9 files changed, 50 insertions, 14 deletions

diff --git a/car_product/sepolicy/carservice_app.te b/car_product/sepolicy/carservice_app.te
new file mode 100644
index 0000000000..af119a8a58
--- /dev/null
+++ b/car_product/sepolicy/carservice_app.te
@@ -0,0 +1,41 @@
+# Domain to run Car Service (com.android.car)
+type carservice_app, domain, coredomain;
+app_domain(carservice_app);
+
+# Allow Car Service to be the client of Vehicle and Audio Control HALs
+hal_client_domain(carservice_app, hal_audiocontrol)
+hal_client_domain(carservice_app, hal_vehicle)
+
+# Allow to set boot.car_service_created property
+set_prop(carservice_app, car_prop)
+
+# Allow Car Service to register itself with ServiceManager
+allow carservice_app carservice_service:service_manager add;
+
+# Allow Car Service to access certain system services.
+# Keep alphabetically sorted.
+allow carservice_app {
+    accessibility_service
+    activity_service
+    autofill_service
+    connectivity_service
+    content_service
+    deviceidle_service
+    display_service
+    graphicsstats_service
+    input_method_service
+    input_service
+    location_service
+    network_management_service
+    power_service
+    sensorservice_service
+    surfaceflinger_service
+    uimode_service
+}:service_manager find;
+
+# Read and write /data/data subdirectory.
+allow carservice_app system_app_data_file:dir create_dir_perms;
+allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# For I/O stats tracker
+allow carservice_app proc_uid_io_stats:file { read open getattr };
diff --git a/car_product/sepolicy/domain.te b/car_product/sepolicy/domain.te
index bb451f322e..d643e83b3d 100644
--- a/car_product/sepolicy/domain.te
+++ b/car_product/sepolicy/domain.te
@@ -1,3 +1,2 @@
 # Ignore personality-8 denials.
 dontaudit domain kernel:system module_request;
-
diff --git a/car_product/sepolicy/powertestservice.te b/car_product/sepolicy/powertestservice.te
index faed503c22..2e2ace7f4e 100644
--- a/car_product/sepolicy/powertestservice.te
+++ b/car_product/sepolicy/powertestservice.te
@@ -4,6 +4,6 @@ type powertestservice_exec, exec_type, file_type;
 init_daemon_domain(powertestservice)
 
 binder_use(powertestservice)
-binder_call(powertestservice, system_app)
+binder_call(powertestservice, carservice_app)
 
-allow powertestservice car_service:service_manager find;
+allow powertestservice carservice_service:service_manager find;
diff --git a/car_product/sepolicy/priv_app.te b/car_product/sepolicy/priv_app.te
deleted file mode 100644
index fd3f31b556..0000000000
--- a/car_product/sepolicy/priv_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-hal_client_domain(priv_app, hal_audiocontrol)
-hal_client_domain(priv_app, hal_vehicle)
diff --git a/car_product/sepolicy/property_contexts b/car_product/sepolicy/property_contexts
index 3b680cb612..a6ffc71e81 100644
--- a/car_product/sepolicy/property_contexts
+++ b/car_product/sepolicy/property_contexts
@@ -1,4 +1,4 @@
 hw.cabl.                   u:object_r:hw_cabl_prop:s0
 wlan.driver.               u:object_r:wlan_driver_prop:s0
 
-boot.car_service_created u:object_r:car_prop:s0
+boot.car_service_created   u:object_r:car_prop:s0
diff --git a/car_product/sepolicy/seapp_contexts b/car_product/sepolicy/seapp_contexts
new file mode 100644
index 0000000000..ec629bec41
--- /dev/null
+++ b/car_product/sepolicy/seapp_contexts
@@ -0,0 +1,4 @@
+user=system seinfo=platform name=com.android.car domain=carservice_app type=system_app_data_file
+
+# Allow Kitchen Sink app (for test purpose) to run in the Car Service security domain
+user=system seinfo=platform name=com.google.android.car.kitchensink domain=carservice_app type=system_app_data_file
diff --git a/car_product/sepolicy/service.te b/car_product/sepolicy/service.te
index 791ca412df..6eff13bb65 100644
--- a/car_product/sepolicy/service.te
+++ b/car_product/sepolicy/service.te
@@ -1 +1 @@
-type car_service,               service_manager_type;
+type carservice_service, service_manager_type;
diff --git a/car_product/sepolicy/service_contexts b/car_product/sepolicy/service_contexts
index cc04e61db7..844d65d40b 100644
--- a/car_product/sepolicy/service_contexts
+++ b/car_product/sepolicy/service_contexts
@@ -1 +1 @@
-car_service                               u:object_r:car_service:s0
+car_service  u:object_r:carservice_service:s0
diff --git a/car_product/sepolicy/system_app.te b/car_product/sepolicy/system_app.te
deleted file mode 100644
index 0894e587ae..0000000000
--- a/car_product/sepolicy/system_app.te
+++ /dev/null
@@ -1,6 +0,0 @@
-hal_client_domain(system_app, hal_audiocontrol)
-hal_client_domain(system_app, hal_vehicle)
-
-set_prop(system_app, car_prop)
-
-allow system_app car_service:service_manager add;