Merge "Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL."

This commit is contained in:
David Zeuthen 2020-02-19 21:14:40 +00:00 committed by Gerrit Code Review
commit 1948c11d13
15 changed files with 64 additions and 5 deletions

View file

@ -27,6 +27,10 @@
bq_config_prop
charger_prop
cold_boot_done_prop
credstore
credstore_data_file
credstore_exec
credstore_service
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
@ -39,7 +43,7 @@
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_identity_hwservice
hal_identity_service
hal_light_service
hal_power_service
hal_rebootescrow_service

6
private/credstore.te Normal file
View file

@ -0,0 +1,6 @@
typeattribute credstore coredomain;
init_daemon_domain(credstore)
# talk to Identity Credential
hal_client_domain(credstore, hal_identity)

View file

@ -252,6 +252,7 @@
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@ -535,6 +536,7 @@
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0

View file

@ -25,7 +25,6 @@ android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_b
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0

View file

@ -1,3 +1,4 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
@ -12,6 +13,7 @@ aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0

View file

@ -293,6 +293,8 @@ allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_sta
use_keystore({ appdomain -isolated_app -ephemeral_app })
use_credstore({ appdomain -isolated_app -ephemeral_app })
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
@ -482,6 +484,7 @@ neverallow { appdomain -shell }
neverallow { appdomain -bluetooth }
bluetooth_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
neverallow appdomain
keystore_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };

16
public/credstore.te Normal file
View file

@ -0,0 +1,16 @@
type credstore, domain;
type credstore_exec, system_file_type, exec_type, file_type;
# credstore daemon
binder_use(credstore)
binder_service(credstore)
binder_call(credstore, system_server)
allow credstore credstore_data_file:dir create_dir_perms;
allow credstore credstore_data_file:file create_file_perms;
add_service(credstore, credstore_service)
allow credstore sec_key_att_app_id_provider_service:service_manager find;
allow credstore dropbox_service:service_manager find;
r_dir_file(credstore, cgroup)

View file

@ -654,6 +654,7 @@ full_treble_only(`
-cameraserver_service
-drmserver_service
-hal_light_service # TODO(b/148154485) remove once all violators are gone
-credstore_service
-keystore_service
-mediadrmserver_service
-mediaextractor_service

View file

@ -359,6 +359,7 @@ type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
type credstore_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -1,4 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_identity_client, hal_identity_server)
hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
add_service(hal_identity_server, hal_identity_service)
binder_call(hal_identity_server, servicemanager)
allow hal_identity_client hal_identity_service:service_manager find;

View file

@ -28,7 +28,6 @@ type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;

View file

@ -189,6 +189,7 @@ allow init {
-app_data_file
-exec_type
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@ -206,6 +207,7 @@ allow init {
-exec_type
-gsi_data_file
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@ -224,6 +226,7 @@ allow init {
-exec_type
-gsi_data_file
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@ -242,6 +245,7 @@ allow init {
-exec_type
-gsi_data_file
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@ -441,6 +445,11 @@ allow init misc_logd_file:file { open create getattr setattr write };
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
# Init creates credstore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init credstore_data_file:dir { open create read getattr setattr search };
allow init credstore_data_file:file { getattr };
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };

View file

@ -16,6 +16,7 @@ type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@ -206,6 +207,7 @@ type tethering_service, app_api_service, ephemeral_app_api_service, system_serve
### HAL Services
###
type hal_identity_service, vendor_service, service_manager_type;
type hal_light_service, vendor_service, service_manager_type;
type hal_power_service, vendor_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, service_manager_type;

View file

@ -599,6 +599,18 @@ define(`use_keystore', `
binder_call(keystore, $1)
')
#####################################
# use_credstore(domain)
# Ability to use credstore.
define(`use_credstore', `
allow credstore $1:dir search;
allow credstore $1:file { read open };
allow credstore $1:process getattr;
allow $1 credstore_service:service_manager find;
binder_call($1, credstore)
binder_call(credstore, $1)
')
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires

View file

@ -36,7 +36,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0