Add sepolicy to register VHAL to car watchdog

- VHAL needs to be a carwatchdogclient_domain.
- system_server should be able to kill hal_vehicle_server.

Bug: 154367059
Bug: 154262220
Test: dumpsys android.automotive.watchdog.ICarWatchdog/default and check
if vehicle hal is registered as a client

Change-Id: Id450c5754bb6b845b4605b4d3877a3a56e5310cf

3 files changed, 8 insertions, 0 deletions

diff --git a/common/car.mk b/common/car.mk
index 7c14b01..01ae36b 100644
--- a/common/car.mk
+++ b/common/car.mk
@@ -72,4 +72,7 @@ PRODUCT_SYSTEM_DEFAULT_PROPERTIES := \
     android.car.number_pre_created_users=1 \
     android.car.number_pre_created_guests=1
 
+# Additional selinux policy
+BOARD_SEPOLICY_DIRS += device/generic/car/common/sepolicy
+
 $(call inherit-product, packages/services/Car/car_product/build/car.mk)
diff --git a/common/sepolicy/hal_vehicle_default.te b/common/sepolicy/hal_vehicle_default.te
new file mode 100644
index 0000000..c0a9698
--- /dev/null
+++ b/common/sepolicy/hal_vehicle_default.te
@@ -0,0 +1,3 @@
+# Configuration for register VHAL to car watchdog
+carwatchdog_client_domain(hal_vehicle_default)
+binder_use(hal_vehicle_default)
diff --git a/common/sepolicy/system_server.te b/common/sepolicy/system_server.te
new file mode 100644
index 0000000..a9ce1b1
--- /dev/null
+++ b/common/sepolicy/system_server.te
@@ -0,0 +1,2 @@
+# Allow system_server to kill vehicle HAL
+allow system_server hal_vehicle_server:process sigkill;