Merge "SE Policy for Secure Element app and Secure Element HAL" am: 6a60cb3e69
am: f285f2db4b
am: 4757882300
Change-Id: I36147d7f0359cef7f80ee36086150936bed2e672
This commit is contained in:
commit
1c57b81c1e
15 changed files with 41 additions and 0 deletions
|
@ -201,6 +201,7 @@ neverallow all_untrusted_apps {
|
||||||
hal_nfc_hwservice
|
hal_nfc_hwservice
|
||||||
hal_oemlock_hwservice
|
hal_oemlock_hwservice
|
||||||
hal_power_hwservice
|
hal_power_hwservice
|
||||||
|
hal_secure_element_hwservice
|
||||||
hal_sensors_hwservice
|
hal_sensors_hwservice
|
||||||
hal_telephony_hwservice
|
hal_telephony_hwservice
|
||||||
hal_thermal_hwservice
|
hal_thermal_hwservice
|
||||||
|
|
|
@ -42,6 +42,7 @@
|
||||||
hal_confirmationui_hwservice
|
hal_confirmationui_hwservice
|
||||||
hal_lowpan_hwservice
|
hal_lowpan_hwservice
|
||||||
hal_neuralnetworks_hwservice
|
hal_neuralnetworks_hwservice
|
||||||
|
hal_secure_element_hwservice
|
||||||
hal_tetheroffload_hwservice
|
hal_tetheroffload_hwservice
|
||||||
hal_wifi_hostapd_hwservice
|
hal_wifi_hostapd_hwservice
|
||||||
hal_usb_gadget_hwservice
|
hal_usb_gadget_hwservice
|
||||||
|
@ -65,6 +66,9 @@
|
||||||
perfetto_traces_data_file
|
perfetto_traces_data_file
|
||||||
perfprofd_service
|
perfprofd_service
|
||||||
property_info
|
property_info
|
||||||
|
secure_element
|
||||||
|
secure_element_tmpfs
|
||||||
|
secure_element_service
|
||||||
slice_service
|
slice_service
|
||||||
stats
|
stats
|
||||||
stats_data_file
|
stats_data_file
|
||||||
|
|
|
@ -39,6 +39,7 @@ android.hardware.radio.deprecated::IOemHook u:object_r:hal_t
|
||||||
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
|
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
|
||||||
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
|
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
|
||||||
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
|
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
|
||||||
|
android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
|
||||||
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
|
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
|
||||||
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
|
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
|
||||||
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
|
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
|
||||||
|
|
|
@ -24,6 +24,7 @@ allow nfc radio_service:service_manager find;
|
||||||
allow nfc app_api_service:service_manager find;
|
allow nfc app_api_service:service_manager find;
|
||||||
allow nfc system_api_service:service_manager find;
|
allow nfc system_api_service:service_manager find;
|
||||||
allow nfc vr_manager_service:service_manager find;
|
allow nfc vr_manager_service:service_manager find;
|
||||||
|
allow nfc secure_element_service:service_manager find;
|
||||||
|
|
||||||
set_prop(nfc, nfc_prop);
|
set_prop(nfc, nfc_prop);
|
||||||
|
|
||||||
|
|
|
@ -99,6 +99,7 @@ user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_d
|
||||||
user=system seinfo=platform domain=system_app type=system_app_data_file
|
user=system seinfo=platform domain=system_app type=system_app_data_file
|
||||||
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
|
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
|
||||||
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
||||||
|
user=secure_element seinfo=platform domain=secure_element levelFrom=all
|
||||||
user=radio seinfo=platform domain=radio type=radio_data_file
|
user=radio seinfo=platform domain=radio type=radio_data_file
|
||||||
user=shared_relro domain=shared_relro
|
user=shared_relro domain=shared_relro
|
||||||
user=shell seinfo=platform domain=shell type=shell_data_file
|
user=shell seinfo=platform domain=shell type=shell_data_file
|
||||||
|
|
14
private/secure_element.te
Normal file
14
private/secure_element.te
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
# secure element subsystem
|
||||||
|
typeattribute secure_element coredomain;
|
||||||
|
app_domain(secure_element)
|
||||||
|
|
||||||
|
binder_service(secure_element)
|
||||||
|
add_service(secure_element, secure_element_service)
|
||||||
|
|
||||||
|
allow secure_element app_api_service:service_manager find;
|
||||||
|
hal_client_domain(secure_element, hal_secure_element)
|
||||||
|
|
||||||
|
# already open bugreport file descriptors may be shared with
|
||||||
|
# the secure element process, from a file in
|
||||||
|
# /data/data/com.android.shell/files/bugreports/bugreport-*.
|
||||||
|
allow secure_element shell_data_file:file read;
|
|
@ -134,6 +134,7 @@ rttmanager u:object_r:rttmanager_service:s0
|
||||||
samplingprofiler u:object_r:samplingprofiler_service:s0
|
samplingprofiler u:object_r:samplingprofiler_service:s0
|
||||||
scheduling_policy u:object_r:scheduling_policy_service:s0
|
scheduling_policy u:object_r:scheduling_policy_service:s0
|
||||||
search u:object_r:search_service:s0
|
search u:object_r:search_service:s0
|
||||||
|
secure_element u:object_r:secure_element_service:s0
|
||||||
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
|
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
|
||||||
sensorservice u:object_r:sensorservice_service:s0
|
sensorservice u:object_r:sensorservice_service:s0
|
||||||
serial u:object_r:serial_service:s0
|
serial u:object_r:serial_service:s0
|
||||||
|
|
|
@ -232,6 +232,7 @@ hal_attribute(neuralnetworks);
|
||||||
hal_attribute(nfc);
|
hal_attribute(nfc);
|
||||||
hal_attribute(oemlock);
|
hal_attribute(oemlock);
|
||||||
hal_attribute(power);
|
hal_attribute(power);
|
||||||
|
hal_attribute(secure_element);
|
||||||
hal_attribute(sensors);
|
hal_attribute(sensors);
|
||||||
hal_attribute(telephony);
|
hal_attribute(telephony);
|
||||||
hal_attribute(tetheroffload);
|
hal_attribute(tetheroffload);
|
||||||
|
|
6
public/hal_secure_element.te
Normal file
6
public/hal_secure_element.te
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# HwBinder IPC from client to server, and callbacks
|
||||||
|
binder_call(hal_secure_element_client, hal_secure_element_server)
|
||||||
|
binder_call(hal_secure_element_server, hal_secure_element_client)
|
||||||
|
|
||||||
|
add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
|
||||||
|
allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
|
|
@ -32,6 +32,7 @@ type hal_oemlock_hwservice, hwservice_manager_type;
|
||||||
type hal_omx_hwservice, hwservice_manager_type;
|
type hal_omx_hwservice, hwservice_manager_type;
|
||||||
type hal_power_hwservice, hwservice_manager_type;
|
type hal_power_hwservice, hwservice_manager_type;
|
||||||
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
|
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
|
||||||
|
type hal_secure_element_hwservice, hwservice_manager_type;
|
||||||
type hal_sensors_hwservice, hwservice_manager_type;
|
type hal_sensors_hwservice, hwservice_manager_type;
|
||||||
type hal_telephony_hwservice, hwservice_manager_type;
|
type hal_telephony_hwservice, hwservice_manager_type;
|
||||||
type hal_tetheroffload_hwservice, hwservice_manager_type;
|
type hal_tetheroffload_hwservice, hwservice_manager_type;
|
||||||
|
|
2
public/secure_element.te
Normal file
2
public/secure_element.te
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# secure_element subsystem
|
||||||
|
type secure_element, domain;
|
|
@ -23,6 +23,7 @@ type netd_service, service_manager_type;
|
||||||
type nfc_service, service_manager_type;
|
type nfc_service, service_manager_type;
|
||||||
type perfprofd_service, service_manager_type;
|
type perfprofd_service, service_manager_type;
|
||||||
type radio_service, service_manager_type;
|
type radio_service, service_manager_type;
|
||||||
|
type secure_element_service, service_manager_type;
|
||||||
type storaged_service, service_manager_type;
|
type storaged_service, service_manager_type;
|
||||||
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
|
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
|
||||||
type system_app_service, service_manager_type;
|
type system_app_service, service_manager_type;
|
||||||
|
|
|
@ -82,6 +82,7 @@ userdebug_or_eng(`
|
||||||
typeattribute su hal_nfc_client;
|
typeattribute su hal_nfc_client;
|
||||||
typeattribute su hal_oemlock_client;
|
typeattribute su hal_oemlock_client;
|
||||||
typeattribute su hal_power_client;
|
typeattribute su hal_power_client;
|
||||||
|
typeattribute su hal_secure_element_client;
|
||||||
typeattribute su hal_sensors_client;
|
typeattribute su hal_sensors_client;
|
||||||
typeattribute su hal_telephony_client;
|
typeattribute su hal_telephony_client;
|
||||||
typeattribute su hal_tetheroffload_client;
|
typeattribute su hal_tetheroffload_client;
|
||||||
|
|
1
vendor/file_contexts
vendored
1
vendor/file_contexts
vendored
|
@ -32,6 +32,7 @@
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
|
||||||
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
|
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
|
||||||
|
|
5
vendor/hal_secure_element_default.te
vendored
Normal file
5
vendor/hal_secure_element_default.te
vendored
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
type hal_secure_element_default, domain;
|
||||||
|
hal_server_domain(hal_secure_element_default, hal_secure_element)
|
||||||
|
type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
|
||||||
|
|
||||||
|
init_daemon_domain(hal_secure_element_default)
|
Loading…
Reference in a new issue