platform_system_sepolicy/microdroid/vendor/hal_dice_default.te

type hal_dice_default, domain;
hal_server_domain(hal_dice_default, hal_dice)

# Block crash dumps to ensure the DICE secrets are not leaked.
typeattribute hal_dice_default no_crash_dump_domain;

type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dice_default)

# hal_dice_default is using bootstrap bionic
use_bootstrap_libs(hal_dice_default)

allow hal_dice_default sysfs_dt_avf:file r_file_perms;
allow hal_dice_default open_dice_device:chr_file rw_file_perms;
Add policies for diced and hal_dice in microdroid Bug: 214231981 Test: run microdroid and check diced is up and running Change-Id: I605d7d6a790b8a14e575e67e1dcf02eaf7a5eafc 2022-01-12 17:37:00 +01:00			`type hal_dice_default, domain;`
			`hal_server_domain(hal_dice_default, hal_dice)`

Modify sepolicy for compos key changes Add the compos_key_helper domain for the process which has access to the signing key, make sure it can't be crashdumped. Also extend that protection to diced & its HAL. Rename compos_verify_key to compos_verify, because it doesn't verify keys any more. Move exec types used by Microdroid to file.te in the host rather than their own dedicated files. Bug: 218494522 Test: atest CompOsSigningHostTest CompOsDenialHostTest Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1 2022-02-14 15:33:37 +01:00			`# Block crash dumps to ensure the DICE secrets are not leaked.`
			`typeattribute hal_dice_default no_crash_dump_domain;`

Add policies for diced and hal_dice in microdroid Bug: 214231981 Test: run microdroid and check diced is up and running Change-Id: I605d7d6a790b8a14e575e67e1dcf02eaf7a5eafc 2022-01-12 17:37:00 +01:00			`type hal_dice_default_exec, exec_type, vendor_file_type, file_type;`
			`init_daemon_domain(hal_dice_default)`
Make the DICE HAL a bootstrap process This HAL starts before APEXs are activated so needs access to the bootstrap bionic libraries. Bug: 214231981 Test: run microdroid Change-Id: If82729eb2eff812916f257d24ce206e371be0c56 2022-01-21 19:19:21 +01:00
			`# hal_dice_default is using bootstrap bionic`
Add use_bionic_libs macro ... to dedupe rules for allowing access to bootstrap bionic libraries. Bug: N/A Test: m Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4 2022-01-23 15:55:41 +01:00			`use_bootstrap_libs(hal_dice_default)`
Give DICE HAL access to driver The driver facilitates the handover of values from the bootloader so needs to be accessible by the HAL. Bug: 214231981 Test: run microdroid with a "google,open-dice" DT node Change-Id: Ib5317e6a42befe22d8f1dbefeb9803f5ec92b061 2022-01-24 21:27:49 +01:00
Define access to AVF chosen node properties Give microdroid_manager and the DICE HAL access to the AVF chosen node properties that are used to indicate that the VM is booting in strict more and that the current boot is provisioning a new VM instance. Bug: 221051866 Bug: 217376291 Test: atest MicrodroidTests Change-Id: Ie8451fc80671557086f8d825ad01600f9cb4557a 2022-03-14 12:36:11 +01:00			`allow hal_dice_default sysfs_dt_avf:file r_file_perms;`
Let the DICE HAL getattr the device node Make sure all the permissions are granted to let the HAL do its work properly. Bug: 214231981 Test: atest MicrodroidTestApp Change-Id: I54c633b8163ea313c87856fb0513074a76ac86a1 2022-02-17 13:35:22 +01:00			`allow hal_dice_default open_dice_device:chr_file rw_file_perms;`