Merge "SE Policy for Secure Element app and Secure Element HAL" am: 6a60cb3e69 am: f285f2db4b

am: 4757882300

Change-Id: I36147d7f0359cef7f80ee36086150936bed2e672
This commit is contained in:
Ruchi Kandoi 2018-01-30 01:26:15 +00:00 committed by android-build-merger
commit 1c57b81c1e
15 changed files with 41 additions and 0 deletions

View file

@ -201,6 +201,7 @@ neverallow all_untrusted_apps {
hal_nfc_hwservice hal_nfc_hwservice
hal_oemlock_hwservice hal_oemlock_hwservice
hal_power_hwservice hal_power_hwservice
hal_secure_element_hwservice
hal_sensors_hwservice hal_sensors_hwservice
hal_telephony_hwservice hal_telephony_hwservice
hal_thermal_hwservice hal_thermal_hwservice

View file

@ -42,6 +42,7 @@
hal_confirmationui_hwservice hal_confirmationui_hwservice
hal_lowpan_hwservice hal_lowpan_hwservice
hal_neuralnetworks_hwservice hal_neuralnetworks_hwservice
hal_secure_element_hwservice
hal_tetheroffload_hwservice hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice hal_usb_gadget_hwservice
@ -65,6 +66,9 @@
perfetto_traces_data_file perfetto_traces_data_file
perfprofd_service perfprofd_service
property_info property_info
secure_element
secure_element_tmpfs
secure_element_service
slice_service slice_service
stats stats
stats_data_file stats_data_file

View file

@ -39,6 +39,7 @@ android.hardware.radio.deprecated::IOemHook u:object_r:hal_t
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0 android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0 android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0 android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0 android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0 android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0 android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0

View file

@ -24,6 +24,7 @@ allow nfc radio_service:service_manager find;
allow nfc app_api_service:service_manager find; allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find; allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find; allow nfc vr_manager_service:service_manager find;
allow nfc secure_element_service:service_manager find;
set_prop(nfc, nfc_prop); set_prop(nfc, nfc_prop);

View file

@ -99,6 +99,7 @@ user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_d
user=system seinfo=platform domain=system_app type=system_app_data_file user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file user=shell seinfo=platform domain=shell type=shell_data_file

14
private/secure_element.te Normal file
View file

@ -0,0 +1,14 @@
# secure element subsystem
typeattribute secure_element coredomain;
app_domain(secure_element)
binder_service(secure_element)
add_service(secure_element, secure_element_service)
allow secure_element app_api_service:service_manager find;
hal_client_domain(secure_element, hal_secure_element)
# already open bugreport file descriptors may be shared with
# the secure element process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow secure_element shell_data_file:file read;

View file

@ -134,6 +134,7 @@ rttmanager u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0 samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0 scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0 search u:object_r:search_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0 sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0 sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0 serial u:object_r:serial_service:s0

View file

@ -232,6 +232,7 @@ hal_attribute(neuralnetworks);
hal_attribute(nfc); hal_attribute(nfc);
hal_attribute(oemlock); hal_attribute(oemlock);
hal_attribute(power); hal_attribute(power);
hal_attribute(secure_element);
hal_attribute(sensors); hal_attribute(sensors);
hal_attribute(telephony); hal_attribute(telephony);
hal_attribute(tetheroffload); hal_attribute(tetheroffload);

View file

@ -0,0 +1,6 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_secure_element_client, hal_secure_element_server)
binder_call(hal_secure_element_server, hal_secure_element_client)
add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;

View file

@ -32,6 +32,7 @@ type hal_oemlock_hwservice, hwservice_manager_type;
type hal_omx_hwservice, hwservice_manager_type; type hal_omx_hwservice, hwservice_manager_type;
type hal_power_hwservice, hwservice_manager_type; type hal_power_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice; type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_secure_element_hwservice, hwservice_manager_type;
type hal_sensors_hwservice, hwservice_manager_type; type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type; type hal_telephony_hwservice, hwservice_manager_type;
type hal_tetheroffload_hwservice, hwservice_manager_type; type hal_tetheroffload_hwservice, hwservice_manager_type;

2
public/secure_element.te Normal file
View file

@ -0,0 +1,2 @@
# secure_element subsystem
type secure_element, domain;

View file

@ -23,6 +23,7 @@ type netd_service, service_manager_type;
type nfc_service, service_manager_type; type nfc_service, service_manager_type;
type perfprofd_service, service_manager_type; type perfprofd_service, service_manager_type;
type radio_service, service_manager_type; type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type storaged_service, service_manager_type; type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type; type system_app_service, service_manager_type;

View file

@ -82,6 +82,7 @@ userdebug_or_eng(`
typeattribute su hal_nfc_client; typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client; typeattribute su hal_oemlock_client;
typeattribute su hal_power_client; typeattribute su hal_power_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client; typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client; typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client; typeattribute su hal_tetheroffload_client;

View file

@ -32,6 +32,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0

5
vendor/hal_secure_element_default.te vendored Normal file
View file

@ -0,0 +1,5 @@
type hal_secure_element_default, domain;
hal_server_domain(hal_secure_element_default, hal_secure_element)
type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_secure_element_default)