From 2b6c6063ae8799f3d4e71032e06816ebfcd22586 Mon Sep 17 00:00:00 2001
From: Janis Danisevskis <jdanis@google.com>
Date: Tue, 9 Nov 2021 17:49:02 -0800
Subject: [PATCH 1/2] Diced: Add policy for diced the DICE daemon.

Bug: 198197213
Test: N/A
Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d
---
 private/access_vectors              | 10 ++++++++++
 private/compat/31.0/31.0.ignore.cil |  4 ++++
 private/crash_dump.te               |  2 ++
 private/diced.te                    |  7 +++++++
 private/file_contexts               |  1 +
 private/llkd.te                     |  1 +
 private/security_classes            |  3 +++
 private/service_contexts            |  2 ++
 public/diced.te                     | 11 +++++++++++
 public/service.te                   |  2 ++
 10 files changed, 43 insertions(+)
 create mode 100644 private/diced.te
 create mode 100644 public/diced.te

diff --git a/private/access_vectors b/private/access_vectors
index 6edcd1f57..21fa534ee 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -749,6 +749,16 @@ class keystore2_key
 	use_dev_id
 }
 
+class diced
+{
+	demote
+	demote_self
+	derive
+	get_attestation_chain
+	use_seal
+	use_sign
+}
+
 class drmservice {
 	consumeRights
 	setPlaybackStatus
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 47a2e8c3e..5e550936b 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,6 +9,10 @@
     attestation_verification_service
     camera2_extensions_prop
     device_config_nnapi_native_prop
+    dice_maintenance_service
+    dice_node_service
+    diced
+    diced_exec
     extra_free_kbytes
     extra_free_kbytes_exec
     hal_contexthub_service
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 9233a4dae..90ffeb5be 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,6 +8,7 @@ allow crash_dump {
   -apexd
   -bpfloader
   -crash_dump
+  -diced
   -init
   -kernel
   -keystore
@@ -40,6 +41,7 @@ neverallow crash_dump {
   apexd
   userdebug_or_eng(`-apexd')
   bpfloader
+  diced
   init
   kernel
   keystore
diff --git a/private/diced.te b/private/diced.te
new file mode 100644
index 000000000..9d281288d
--- /dev/null
+++ b/private/diced.te
@@ -0,0 +1,7 @@
+typeattribute diced coredomain;
+
+init_daemon_domain(diced)
+
+# Talk to dice HAL.
+# TODO uncomment when implemented.
+# hal_client_domain(diced, hal_dice)
diff --git a/private/file_contexts b/private/file_contexts
index e7045e017..de7291bfe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -270,6 +270,7 @@
 /system/bin/credstore	u:object_r:credstore_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
 /system/bin/keystore2	u:object_r:keystore_exec:s0
+/system/bin/diced      u:object_r:diced_exec:s0
 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/tombstoned u:object_r:tombstoned_exec:s0
diff --git a/private/llkd.te b/private/llkd.te
index 9c96dfbf1..8512e8570 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -23,6 +23,7 @@ userdebug_or_eng(`
   allow llkd {
     domain
     -apexd
+    -diced
     -kernel
     -keystore
     -init
diff --git a/private/security_classes b/private/security_classes
index 200b030cc..0d3cc80ab 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -163,5 +163,8 @@ class keystore2                 # userspace
 # Keystore 2.0 key permissions
 class keystore2_key             # userspace
 
+# Diced permissions
+class diced                     # userspace
+
 class drmservice                # userspace
 # FLASK
diff --git a/private/service_contexts b/private/service_contexts
index f79715d05..81d8f8e67 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -65,6 +65,8 @@ android.os.UpdateEngineStableService      u:object_r:update_engine_stable_servic
 android.security.apc                      u:object_r:apc_service:s0
 android.security.authorization            u:object_r:authorization_service:s0
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance    u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode           u:object_r:dice_node_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.security.legacykeystore           u:object_r:legacykeystore_service:s0
diff --git a/public/diced.te b/public/diced.te
new file mode 100644
index 000000000..09089368f
--- /dev/null
+++ b/public/diced.te
@@ -0,0 +1,11 @@
+type diced, domain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+binder_use(diced)
+binder_service(diced)
+
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# Check SELinux permissions.
+selinux_check_access(diced)
diff --git a/public/service.te b/public/service.te
index 7f1fbe2f9..9ffed6397 100644
--- a/public/service.te
+++ b/public/service.te
@@ -8,6 +8,8 @@ type batteryproperties_service, app_api_service, ephemeral_app_api_service, serv
 type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
+type dice_maintenance_service,  service_manager_type;
+type dice_node_service,         service_manager_type;
 type dnsresolver_service,       service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;

From bc7a33ece96d7da5a79509983caf1a2a67c4ecbd Mon Sep 17 00:00:00 2001
From: Janis Danisevskis <jdanis@google.com>
Date: Wed, 10 Nov 2021 14:52:05 -0800
Subject: [PATCH 2/2] Dice HAL: Add policy for dice HAL.

And allow diced to talk to the dice HAL.

Bug: 198197213
Test: N/A
Change-Id: I74797b13656b38b50d7cd28a4c4c6ec4c8d1d1aa
---
 private/compat/31.0/31.0.ignore.cil | 1 +
 private/diced.te                    | 3 +--
 private/service_contexts            | 1 +
 public/attributes                   | 1 +
 public/hal_dice.te                  | 4 ++++
 public/service.te                   | 1 +
 vendor/file_contexts                | 1 +
 vendor/hal_dice_default.te          | 5 +++++
 8 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 public/hal_dice.te
 create mode 100644 vendor/hal_dice_default.te

diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 5e550936b..c92cc626c 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -16,6 +16,7 @@
     extra_free_kbytes
     extra_free_kbytes_exec
     hal_contexthub_service
+    hal_dice_service
     hal_graphics_composer_service
     hal_health_service
     hal_radio_config_service
diff --git a/private/diced.te b/private/diced.te
index 9d281288d..b37809c35 100644
--- a/private/diced.te
+++ b/private/diced.te
@@ -3,5 +3,4 @@ typeattribute diced coredomain;
 init_daemon_domain(diced)
 
 # Talk to dice HAL.
-# TODO uncomment when implemented.
-# hal_client_domain(diced, hal_dice)
+hal_client_domain(diced, hal_dice)
diff --git a/private/service_contexts b/private/service_contexts
index 81d8f8e67..0e723f28e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -34,6 +34,7 @@ android.hardware.radio.voice.IRadioVoice/slot1                       u:object_r:
 android.hardware.radio.voice.IRadioVoice/slot2                       u:object_r:hal_radio_voice_service:s0
 android.hardware.radio.voice.IRadioVoice/slot3                       u:object_r:hal_radio_voice_service:s0
 android.hardware.rebootescrow.IRebootEscrow/default                  u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.dice.IDiceDevice/default                   u:object_r:hal_dice_service:s0
 android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
 android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
diff --git a/public/attributes b/public/attributes
index df82abfdf..07eecfc89 100644
--- a/public/attributes
+++ b/public/attributes
@@ -333,6 +333,7 @@ hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
+hal_attribute(dice);
 hal_attribute(drm);
 hal_attribute(dumpstate);
 hal_attribute(evs);
diff --git a/public/hal_dice.te b/public/hal_dice.te
new file mode 100644
index 000000000..92222c5ce
--- /dev/null
+++ b/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/public/service.te b/public/service.te
index 9ffed6397..dc9b17850 100644
--- a/public/service.te
+++ b/public/service.te
@@ -261,6 +261,7 @@ type hal_audio_service, vendor_service, protected_service, service_manager_type;
 type hal_audiocontrol_service, vendor_service, service_manager_type;
 type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
 type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
+type hal_dice_service, vendor_service, protected_service, service_manager_type;
 type hal_face_service, vendor_service, protected_service, service_manager_type;
 type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
 type hal_gnss_service, vendor_service, protected_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2f14da02..35c2d9521 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -75,6 +75,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)?  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software   u:object_r:hal_dice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te
new file mode 100644
index 000000000..832e7172d
--- /dev/null
+++ b/vendor/hal_dice_default.te
@@ -0,0 +1,5 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)