Merge "Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL."
This commit is contained in:
commit
1948c11d13
15 changed files with 64 additions and 5 deletions
|
@ -27,6 +27,10 @@
|
|||
bq_config_prop
|
||||
charger_prop
|
||||
cold_boot_done_prop
|
||||
credstore
|
||||
credstore_data_file
|
||||
credstore_exec
|
||||
credstore_service
|
||||
platform_compat_service
|
||||
ctl_apexd_prop
|
||||
dataloader_manager_service
|
||||
|
@ -39,7 +43,7 @@
|
|||
gmscore_app
|
||||
hal_can_bus_hwservice
|
||||
hal_can_controller_hwservice
|
||||
hal_identity_hwservice
|
||||
hal_identity_service
|
||||
hal_light_service
|
||||
hal_power_service
|
||||
hal_rebootescrow_service
|
||||
|
|
6
private/credstore.te
Normal file
6
private/credstore.te
Normal file
|
@ -0,0 +1,6 @@
|
|||
typeattribute credstore coredomain;
|
||||
|
||||
init_daemon_domain(credstore)
|
||||
|
||||
# talk to Identity Credential
|
||||
hal_client_domain(credstore, hal_identity)
|
|
@ -252,6 +252,7 @@
|
|||
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
|
||||
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
|
||||
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
|
||||
/system/bin/credstore u:object_r:credstore_exec:s0
|
||||
/system/bin/keystore u:object_r:keystore_exec:s0
|
||||
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
|
||||
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
|
||||
|
@ -535,6 +536,7 @@
|
|||
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
|
||||
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
|
||||
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
|
||||
/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
|
||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
|
||||
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
||||
|
|
|
@ -25,7 +25,6 @@ android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_b
|
|||
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
|
||||
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
|
||||
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
|
||||
android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
|
||||
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
|
||||
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
|
||||
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
|
||||
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
|
||||
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
|
||||
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
|
||||
|
@ -12,6 +13,7 @@ aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
|
|||
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
|
||||
alarm u:object_r:alarm_service:s0
|
||||
android.os.UpdateEngineService u:object_r:update_engine_service:s0
|
||||
android.security.identity u:object_r:credstore_service:s0
|
||||
android.security.keystore u:object_r:keystore_service:s0
|
||||
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
|
||||
app_binding u:object_r:app_binding_service:s0
|
||||
|
|
|
@ -293,6 +293,8 @@ allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_sta
|
|||
|
||||
use_keystore({ appdomain -isolated_app -ephemeral_app })
|
||||
|
||||
use_credstore({ appdomain -isolated_app -ephemeral_app })
|
||||
|
||||
allow appdomain console_device:chr_file { read write };
|
||||
|
||||
# only allow unprivileged socket ioctl commands
|
||||
|
@ -482,6 +484,7 @@ neverallow { appdomain -shell }
|
|||
neverallow { appdomain -bluetooth }
|
||||
bluetooth_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
|
||||
neverallow appdomain
|
||||
keystore_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
|
16
public/credstore.te
Normal file
16
public/credstore.te
Normal file
|
@ -0,0 +1,16 @@
|
|||
type credstore, domain;
|
||||
type credstore_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# credstore daemon
|
||||
binder_use(credstore)
|
||||
binder_service(credstore)
|
||||
binder_call(credstore, system_server)
|
||||
|
||||
allow credstore credstore_data_file:dir create_dir_perms;
|
||||
allow credstore credstore_data_file:file create_file_perms;
|
||||
|
||||
add_service(credstore, credstore_service)
|
||||
allow credstore sec_key_att_app_id_provider_service:service_manager find;
|
||||
allow credstore dropbox_service:service_manager find;
|
||||
|
||||
r_dir_file(credstore, cgroup)
|
|
@ -654,6 +654,7 @@ full_treble_only(`
|
|||
-cameraserver_service
|
||||
-drmserver_service
|
||||
-hal_light_service # TODO(b/148154485) remove once all violators are gone
|
||||
-credstore_service
|
||||
-keystore_service
|
||||
-mediadrmserver_service
|
||||
-mediaextractor_service
|
||||
|
|
|
@ -359,6 +359,7 @@ type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
|
|||
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type camera_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type credstore_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type incident_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type keychain_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
# HwBinder IPC from client to server
|
||||
binder_call(hal_identity_client, hal_identity_server)
|
||||
|
||||
hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
|
||||
add_service(hal_identity_server, hal_identity_service)
|
||||
binder_call(hal_identity_server, servicemanager)
|
||||
|
||||
allow hal_identity_client hal_identity_service:service_manager find;
|
||||
|
|
|
@ -28,7 +28,6 @@ type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
|
|||
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
|
|
|
@ -189,6 +189,7 @@ allow init {
|
|||
-app_data_file
|
||||
-exec_type
|
||||
-iorapd_data_file
|
||||
-credstore_data_file
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
-nativetest_data_file
|
||||
|
@ -206,6 +207,7 @@ allow init {
|
|||
-exec_type
|
||||
-gsi_data_file
|
||||
-iorapd_data_file
|
||||
-credstore_data_file
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
-nativetest_data_file
|
||||
|
@ -224,6 +226,7 @@ allow init {
|
|||
-exec_type
|
||||
-gsi_data_file
|
||||
-iorapd_data_file
|
||||
-credstore_data_file
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
-nativetest_data_file
|
||||
|
@ -242,6 +245,7 @@ allow init {
|
|||
-exec_type
|
||||
-gsi_data_file
|
||||
-iorapd_data_file
|
||||
-credstore_data_file
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
-nativetest_data_file
|
||||
|
@ -441,6 +445,11 @@ allow init misc_logd_file:file { open create getattr setattr write };
|
|||
allow init self:global_capability_class_set kill;
|
||||
allow init domain:process { getpgid sigkill signal };
|
||||
|
||||
# Init creates credstore's directory on boot, and walks through
|
||||
# the directory as part of a recursive restorecon.
|
||||
allow init credstore_data_file:dir { open create read getattr setattr search };
|
||||
allow init credstore_data_file:file { getattr };
|
||||
|
||||
# Init creates keystore's directory on boot, and walks through
|
||||
# the directory as part of a recursive restorecon.
|
||||
allow init keystore_data_file:dir { open create read getattr setattr search };
|
||||
|
|
|
@ -16,6 +16,7 @@ type idmap_service, service_manager_type;
|
|||
type iorapd_service, service_manager_type;
|
||||
type incident_service, service_manager_type;
|
||||
type installd_service, service_manager_type;
|
||||
type credstore_service, app_api_service, service_manager_type;
|
||||
type keystore_service, service_manager_type;
|
||||
type lpdump_service, service_manager_type;
|
||||
type mediaserver_service, service_manager_type;
|
||||
|
@ -206,6 +207,7 @@ type tethering_service, app_api_service, ephemeral_app_api_service, system_serve
|
|||
### HAL Services
|
||||
###
|
||||
|
||||
type hal_identity_service, vendor_service, service_manager_type;
|
||||
type hal_light_service, vendor_service, service_manager_type;
|
||||
type hal_power_service, vendor_service, service_manager_type;
|
||||
type hal_rebootescrow_service, vendor_service, service_manager_type;
|
||||
|
|
|
@ -599,6 +599,18 @@ define(`use_keystore', `
|
|||
binder_call(keystore, $1)
|
||||
')
|
||||
|
||||
#####################################
|
||||
# use_credstore(domain)
|
||||
# Ability to use credstore.
|
||||
define(`use_credstore', `
|
||||
allow credstore $1:dir search;
|
||||
allow credstore $1:file { read open };
|
||||
allow credstore $1:process getattr;
|
||||
allow $1 credstore_service:service_manager find;
|
||||
binder_call($1, credstore)
|
||||
binder_call(credstore, $1)
|
||||
')
|
||||
|
||||
###########################################
|
||||
# use_drmservice(domain)
|
||||
# Ability to use DrmService which requires
|
||||
|
|
2
vendor/file_contexts
vendored
2
vendor/file_contexts
vendored
|
@ -36,7 +36,7 @@
|
|||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
|
||||
|
|
Loading…
Reference in a new issue