diff --git a/private/access_vectors b/private/access_vectors index afa42b0da..fc17c1dc9 100644 --- a/private/access_vectors +++ b/private/access_vectors @@ -750,6 +750,16 @@ class keystore2_key use_dev_id } +class diced +{ + demote + demote_self + derive + get_attestation_chain + use_seal + use_sign +} + class drmservice { consumeRights setPlaybackStatus diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil index 70621ad41..f89c3ba09 100644 --- a/private/compat/31.0/31.0.ignore.cil +++ b/private/compat/31.0/31.0.ignore.cil @@ -10,9 +10,14 @@ attestation_verification_service camera2_extensions_prop device_config_nnapi_native_prop + dice_maintenance_service + dice_node_service + diced + diced_exec extra_free_kbytes extra_free_kbytes_exec hal_contexthub_service + hal_dice_service hal_graphics_composer_service hal_health_service hal_radio_config_service diff --git a/private/crash_dump.te b/private/crash_dump.te index 9233a4dae..90ffeb5be 100644 --- a/private/crash_dump.te +++ b/private/crash_dump.te @@ -8,6 +8,7 @@ allow crash_dump { -apexd -bpfloader -crash_dump + -diced -init -kernel -keystore @@ -40,6 +41,7 @@ neverallow crash_dump { apexd userdebug_or_eng(`-apexd') bpfloader + diced init kernel keystore diff --git a/private/diced.te b/private/diced.te new file mode 100644 index 000000000..b37809c35 --- /dev/null +++ b/private/diced.te @@ -0,0 +1,6 @@ +typeattribute diced coredomain; + +init_daemon_domain(diced) + +# Talk to dice HAL. +hal_client_domain(diced, hal_dice) diff --git a/private/file_contexts b/private/file_contexts index 1079dca48..c1110cfd9 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -270,6 +270,7 @@ /system/bin/credstore u:object_r:credstore_exec:s0 /system/bin/keystore u:object_r:keystore_exec:s0 /system/bin/keystore2 u:object_r:keystore_exec:s0 +/system/bin/diced u:object_r:diced_exec:s0 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0 /system/bin/tombstoned u:object_r:tombstoned_exec:s0 diff --git a/private/llkd.te b/private/llkd.te index 9c96dfbf1..8512e8570 100644 --- a/private/llkd.te +++ b/private/llkd.te @@ -23,6 +23,7 @@ userdebug_or_eng(` allow llkd { domain -apexd + -diced -kernel -keystore -init diff --git a/private/security_classes b/private/security_classes index 200b030cc..0d3cc80ab 100644 --- a/private/security_classes +++ b/private/security_classes @@ -163,5 +163,8 @@ class keystore2 # userspace # Keystore 2.0 key permissions class keystore2_key # userspace +# Diced permissions +class diced # userspace + class drmservice # userspace # FLASK diff --git a/private/service_contexts b/private/service_contexts index f79715d05..0e723f28e 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -34,6 +34,7 @@ android.hardware.radio.voice.IRadioVoice/slot1 u:object_r: android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0 android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0 android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0 +android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0 android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0 android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0 @@ -65,6 +66,8 @@ android.os.UpdateEngineStableService u:object_r:update_engine_stable_servic android.security.apc u:object_r:apc_service:s0 android.security.authorization u:object_r:authorization_service:s0 android.security.compat u:object_r:keystore_compat_hal_service:s0 +android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0 +android.security.dice.IDiceNode u:object_r:dice_node_service:s0 android.security.identity u:object_r:credstore_service:s0 android.security.keystore u:object_r:keystore_service:s0 android.security.legacykeystore u:object_r:legacykeystore_service:s0 diff --git a/public/attributes b/public/attributes index df82abfdf..07eecfc89 100644 --- a/public/attributes +++ b/public/attributes @@ -333,6 +333,7 @@ hal_attribute(codec2); hal_attribute(configstore); hal_attribute(confirmationui); hal_attribute(contexthub); +hal_attribute(dice); hal_attribute(drm); hal_attribute(dumpstate); hal_attribute(evs); diff --git a/public/diced.te b/public/diced.te new file mode 100644 index 000000000..09089368f --- /dev/null +++ b/public/diced.te @@ -0,0 +1,11 @@ +type diced, domain; +type diced_exec, system_file_type, exec_type, file_type; + +binder_use(diced) +binder_service(diced) + +add_service(diced, dice_node_service) +add_service(diced, dice_maintenance_service) + +# Check SELinux permissions. +selinux_check_access(diced) diff --git a/public/hal_dice.te b/public/hal_dice.te new file mode 100644 index 000000000..92222c5ce --- /dev/null +++ b/public/hal_dice.te @@ -0,0 +1,4 @@ +binder_call(hal_dice_client, hal_dice_server) + +hal_attribute_service(hal_dice, hal_dice_service) +binder_call(hal_dice_server, servicemanager) diff --git a/public/service.te b/public/service.te index 7f1fbe2f9..dc9b17850 100644 --- a/public/service.te +++ b/public/service.te @@ -8,6 +8,8 @@ type batteryproperties_service, app_api_service, ephemeral_app_api_service, serv type bluetooth_service, service_manager_type; type cameraserver_service, service_manager_type; type default_android_service, service_manager_type; +type dice_maintenance_service, service_manager_type; +type dice_node_service, service_manager_type; type dnsresolver_service, service_manager_type; type drmserver_service, service_manager_type; type dumpstate_service, service_manager_type; @@ -259,6 +261,7 @@ type hal_audio_service, vendor_service, protected_service, service_manager_type; type hal_audiocontrol_service, vendor_service, service_manager_type; type hal_authsecret_service, vendor_service, protected_service, service_manager_type; type hal_contexthub_service, vendor_service, protected_service, service_manager_type; +type hal_dice_service, vendor_service, protected_service, service_manager_type; type hal_face_service, vendor_service, protected_service, service_manager_type; type hal_fingerprint_service, vendor_service, protected_service, service_manager_type; type hal_gnss_service, vendor_service, protected_service, service_manager_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index e2f14da02..35c2d9521 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -75,6 +75,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0 /(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0 diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te new file mode 100644 index 000000000..832e7172d --- /dev/null +++ b/vendor/hal_dice_default.te @@ -0,0 +1,5 @@ +type hal_dice_default, domain; +hal_server_domain(hal_dice_default, hal_dice) + +type hal_dice_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_dice_default)