tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/keystore.te

102 lines
3.5 KiB
Text
Raw Normal View History

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
typeattribute keystore coredomain;
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
init_daemon_domain(keystore)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
Added default policy for Confirmation UI HAL Bug: 63928580 Test: Manually tested. Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-09 23:42:53 +01:00
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
Allow keystore to talk to keymint Test: None Change-Id: Icb1f60b3c2971488a6a890c063d4e4babab2b2f2
2020-08-24 16:52:32 +02:00
# talk to keymint
hal_client_domain(keystore, hal_keymint)
Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK Reason for revert: Relands the original topic: https://r.android.com/q/topic:%22expose-avf-rkp-hal%22 Changes from the reverted cl aosp/2812455: - The AIDL service type has been renamed from avf_* to hal_* to be consistent with the others. - The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service, for the IRPC/avf service, has been set up with the server/client model for AIDL Hal. The virtualizationservice is declared as server and RKPD is declared as client to access the service instead of raw service permission setup as in the reverted cl. This is aligned with the AIDL Hal configuration recommendation. - Since the existing type for IRPC hal_remotelyprovisionedcomponent is already associated with keymint server/client and has specific permission requirements, and some of the keymint clients might not need the AVF Hal. We decided to create a new AIDL service type instead of reusing the exisiting keymint service type. Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK Bug: 312427637 Bug: 310744536 Bug: 299257581 Test: atest MicrodroidHostTests librkp_support_test Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad
2023-11-14 08:38:18 +01:00
# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
# access it.
# TODO(b/312427637): Investigate the reason and fix the denial.
dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
Added default policy for Confirmation UI HAL Bug: 63928580 Test: Manually tested. Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-09 23:42:53 +01:00
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
Allow Keystore to check security logging property. This is needed to allow it to log audit events. Test: manual, import a key and see adb shell su system logcat -b security Bug: 70886042 Change-Id: Icd3c13172d47f8eac7c2a97c306d8c654e634f88
2018-01-24 20:49:18 +01:00
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
Add libselinux keystore_key backend. We add a new back end for SELinux based keystore2_key namespaces. This patch adds the rump policy and build system infrastructure for installing keystore2_key context files on the target devices. Bug: 158500146 Bug: 159466840 Test: None Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106 Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-07-25 22:02:29 +02:00
Add ro.remote_provisioning.*.rkp_only properties. These properties are used to inform keystore2 and the RemoteProvisioner app how they should behave in the system in the event that RKP keys are exhausted. The usual behavior in a hybrid system is not to take any action and fallback to the factory provisioned key if key attestation is requested and no remotely provisioned keys are available. However, there are instances where this could happen on a device that was intended to be RKP only, in which case the system needs to know that it should go ahead and attempt to remotely provision new certificates or throw an error in the case where none are available. Test: New properties are accessible from the two domains Change-Id: I8d6c9e650566499bf08cfda2f71c64d5c2b26fd6
2022-02-02 06:15:44 +01:00
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
Add SELinux policies for remote_key_provisioning_native namespace. We need to separate out the feature flags in use by remote key provisioning daemon (RKPD). For this, I have set up a new namespace remote_key_provisioning_native. This change adds the SELinux policies to make sure appropriate permissions are present when accessing the feature flag for read/write. Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7 Test: TreeHugger
2022-09-29 23:20:22 +02:00
# Allow keystore to check rkpd feature flags
get_prop(keystore, device_config_remote_key_provisioning_native_prop)
Allow keystore to write to statsd. Keystore logging is migrated to use statsd. Therefore, keystore needs permission to write to statsd. Test: Treehugger passes. Bug: 157664923 Change-Id: I2fb61fd7e9732191e6991f199d04b5425b637830
2020-06-11 01:34:41 +02:00
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709) Bug: 166295507 Merged-In: I6d0b1be1a46288fff42c3689dbef2f7443efebcc Change-Id: I133180d20457b9f805f3da0915e2cf6e48229132
2020-08-29 10:45:24 +02:00
Stop granting permissions on keystore_key class When keystore was replaced with keystore2 in Android 12, the SELinux class of keystore keys was changed from keystore_key to keystore2_key. However, the rules that granted access to keystore_key were never removed. This CL removes them, as they are no longer needed. Don't actually remove the class and its permissions from private/security_classes and private/access_vectors. That would break the build because they're referenced by rules in prebuilts/. Bug: 171305684 Test: atest CtsKeystoreTestCases Flag: exempt, removing obsolete code Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3
2023-10-16 23:44:26 +02:00
# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
Add libselinux keystore_key backend. We add a new back end for SELinux based keystore2_key namespaces. This patch adds the rump policy and build system infrastructure for installing keystore2_key context files on the target devices. Bug: 158500146 Bug: 159466840 Test: None Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106 Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-07-25 22:02:29 +02:00
allow keystore keystore2_key_contexts_file:file r_file_perms;
Allow keystore to write to statsd. Keystore logging is migrated to use statsd. Therefore, keystore needs permission to write to statsd. Test: Treehugger passes. Bug: 157664923 Change-Id: If15ee3eb2ae7036dbaccd31525feadb8f54c6162 Merged-In: I2fb61fd7e9732191e6991f199d04b5425b637830
2020-06-10 23:10:02 +02:00
Add ro.keystore.boot_level_key.strategy Bug: 241241178 Test: set property on Cuttlefish, check logs for strategy used. Change-Id: Ifaaec811316c43fdae232f9a08c5d862011ccc71
2022-08-22 18:00:25 +02:00
# Allow keystore to listen to changing boot levels
init sets keystore.boot_level, keystore reads Bug: 176450483 Test: init can set, and keystore2 read, keystore.boot_level Test: `adb shell getprop -Z | grep boot_level` returns [keystore.boot_level]: [u:object_r:keystore_listen_prop:s0] Change-Id: Iedb37db19e9153995800fc97de6ee8c536179caa
2021-02-23 17:40:05 +01:00
get_prop(keystore, keystore_listen_prop)
Keystore 2.0: sepolicy changes for vold to use keystore2 Vold needs to be able to search for keystore2 and keystore2 maintenance services, and call methods provided by those services. Bug: 181910578 Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be
2021-03-01 11:53:46 +01:00
Remove wait_for_keymaster and references No longer needed now init listens for property changes on a separate thread. Some references to wait_for_keymaster survive: in order to avoid trouble downstream, we keep the definition of the `wait_for_keymaster` and `wait_for_keymaster_exec` types, but remove all their permissions, and of course prebuilds and compat cil files are unchanged. Bug: 186580823 Test: Cuttlefish boots successfully Change-Id: Id97fc2668743fb58dfd10c75a4f4c4d0348284ce
2021-06-13 18:56:33 +02:00
# Keystore needs to transfer binder references to vold so that it
Keystore 2.0: sepolicy changes for vold to use keystore2 Vold needs to be able to search for keystore2 and keystore2 maintenance services, and call methods provided by those services. Bug: 181910578 Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be
2021-03-01 11:53:46 +01:00
# can call keystore methods on those references.
allow keystore vold:binder transfer;
Allow keystore to read and write keystore.crash_count system property. Additionally, remove the obsolete permission which allows keystore to register callbacks with statsd. There's no direct communication between keystore and statsd now. Ignore-AOSP-First: No mergepath to AOSP. Bug: 188590587 Test: statsd TestDrive script. Merged-In: I31d202751ba78bb547822020260a7e366cb8826e Change-Id: I31d202751ba78bb547822020260a7e366cb8826e
2021-07-03 01:14:50 +02:00
set_prop(keystore, keystore_crash_prop)
Allow service managers access to apex data. VintfObject will monitor for /apex directory for VINTF data. Add permissions for service managers to read this data. Bug: 239055387 Test: m && boot Change-Id: I179e008dadfcb323cde58a8a460bcfa2825a7b4f
2022-07-28 18:23:42 +02:00
# keystore is using apex_info via libvintf
use_apex_info(keystore)
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, remote_provisioning_service_server)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
add_service(keystore, keystore_metrics_service)
add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
r_dir_file(keystore, cgroup_v2)
# The software KeyMint implementation used in km_compat needs
# to read the vendor security patch level.
get_prop(keystore, vendor_security_patch_level_prop);
# Allow keystore to read its vendor configuration
get_prop(keystore, keystore_config_prop)
###
### Neverallow rules
###
### Protect ourself from others
###
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
# system property, an exception is added for init as well.
neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
Reference in a new issue Copy permalink