From 1c6cf7c74a9002278003ecd1be54a66e30ee2561 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Tue, 27 Sep 2022 22:18:46 +0000 Subject: [PATCH] Merge logic of DICE HAL and diced in to dice-service The DICE HAL and diced are replaced with dice-service which implements the diced services and also contains the HAL logic directly, without exposing an implementation of the HAL service. Bug: 243133253 Test: atest MicrodroidTests Change-Id: Ia0edeadb04a3fdd37ee1a69a875a7b29586702c5 --- .../system/private/compos_key_helper.te | 4 ++-- microdroid/system/private/dice_service.te | 24 +++++++++++++++++++ microdroid/system/private/diced.te | 23 ------------------ microdroid/system/private/file_contexts | 2 +- microdroid/system/private/microdroid_app.te | 6 ++--- .../system/private/microdroid_manager.te | 6 ++--- microdroid/system/private/service_contexts | 2 -- microdroid/system/public/hal_dice.te | 4 ---- microdroid/vendor/file_contexts | 3 --- microdroid/vendor/hal_dice_default.te | 14 ----------- 10 files changed, 33 insertions(+), 55 deletions(-) create mode 100644 microdroid/system/private/dice_service.te delete mode 100644 microdroid/system/private/diced.te delete mode 100644 microdroid/system/public/hal_dice.te delete mode 100644 microdroid/vendor/hal_dice_default.te diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te index 56f8d2a82..b117d0c56 100644 --- a/microdroid/system/private/compos_key_helper.te +++ b/microdroid/system/private/compos_key_helper.te @@ -9,8 +9,8 @@ typeattribute compos_key_helper no_crash_dump_domain; # Allow using DICE binder service binder_use(compos_key_helper); allow compos_key_helper dice_node_service:service_manager find; -binder_call(compos_key_helper, diced); -allow compos_key_helper diced:diced { get_attestation_chain derive }; +binder_call(compos_key_helper, dice_service); +allow compos_key_helper dice_service:diced { get_attestation_chain derive }; # Communicate with compos via stdin/stdout pipes allow compos_key_helper compos:fd use; diff --git a/microdroid/system/private/dice_service.te b/microdroid/system/private/dice_service.te new file mode 100644 index 000000000..341108c57 --- /dev/null +++ b/microdroid/system/private/dice_service.te @@ -0,0 +1,24 @@ +type dice_service, domain, coredomain; +type dice_service_exec, system_file_type, exec_type, file_type; + +# Block crash dumps to ensure the DICE secrets are not leaked. +typeattribute dice_service no_crash_dump_domain; + +# dice_service can be started by init. +init_daemon_domain(dice_service) + +# dice_service hosts AIDL services. +binder_use(dice_service) +binder_service(dice_service) +add_service(dice_service, dice_node_service) +add_service(dice_service, dice_maintenance_service) + +# dice_service can check SELinux permissions. +selinux_check_access(dice_service) + +# dice_service is using bootstrap bionic. +use_bootstrap_libs(dice_service) + +# Read config from the device tree and open-dice driver. +allow dice_service sysfs_dt_avf:file r_file_perms; +allow dice_service open_dice_device:chr_file rw_file_perms; diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te deleted file mode 100644 index 2dba244ae..000000000 --- a/microdroid/system/private/diced.te +++ /dev/null @@ -1,23 +0,0 @@ -type diced, domain, coredomain; -type diced_exec, system_file_type, exec_type, file_type; - -# Block crash dumps to ensure the DICE secrets are not leaked. -typeattribute diced no_crash_dump_domain; - -# diced can be started by init -init_daemon_domain(diced) - -# diced can talk to dice HAL -hal_client_domain(diced, hal_dice) - -# diced hosts AIDL services -binder_use(diced) -binder_service(diced) -add_service(diced, dice_node_service) -add_service(diced, dice_maintenance_service) - -# diced can check SELinux permissions. -selinux_check_access(diced) - -# diced is using bootstrap bionic -use_bootstrap_libs(diced) diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts index 152063c4f..a81bdc128 100644 --- a/microdroid/system/private/file_contexts +++ b/microdroid/system/private/file_contexts @@ -105,7 +105,7 @@ /system/bin/linkerconfig u:object_r:linkerconfig_exec:s0 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0 /system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0 -/system/bin/diced.microdroid u:object_r:diced_exec:s0 +/system/bin/dice-service.microdroid u:object_r:dice_service_exec:s0 /system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0 /system/bin/init u:object_r:init_exec:s0 /system/bin/logcat -- u:object_r:logcat_exec:s0 diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te index de5832635..d9d533a42 100644 --- a/microdroid/system/private/microdroid_app.te +++ b/microdroid/system/private/microdroid_app.te @@ -9,9 +9,9 @@ type microdroid_app, domain, coredomain, microdroid_payload; type microdroid_app_exec, exec_type, file_type, system_file_type; -# Talk to binder services (for diced) +# Talk to binder services (for dice_service) binder_use(microdroid_app); allow microdroid_app dice_node_service:service_manager find; -binder_call(microdroid_app, diced); -allow microdroid_app diced:diced { get_attestation_chain derive }; +binder_call(microdroid_app, dice_service); +allow microdroid_app dice_service:diced { get_attestation_chain derive }; diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te index bfaabe24b..06fb9790e 100644 --- a/microdroid/system/private/microdroid_manager.te +++ b/microdroid/system/private/microdroid_manager.te @@ -45,11 +45,11 @@ allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl }; # microdroid_manager is using bootstrap bionic use_bootstrap_libs(microdroid_manager) -# microdroid_manager can talk to diced over binder +# microdroid_manager can talk to dice_service over binder binder_use(microdroid_manager) -binder_call(microdroid_manager, diced) +binder_call(microdroid_manager, dice_service) allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find; -allow microdroid_manager diced:diced { derive demote_self }; +allow microdroid_manager dice_service:diced { derive demote_self }; # microdroid_manager create /apex/vm-payload-metadata for apexd # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it. diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts index 9a2730615..76bae22fc 100644 --- a/microdroid/system/private/service_contexts +++ b/microdroid/system/private/service_contexts @@ -1,5 +1,3 @@ -android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0 - adb u:object_r:adb_service:s0 android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0 android.security.dice.IDiceNode u:object_r:dice_node_service:s0 diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te deleted file mode 100644 index 92222c5ce..000000000 --- a/microdroid/system/public/hal_dice.te +++ /dev/null @@ -1,4 +0,0 @@ -binder_call(hal_dice_client, hal_dice_server) - -hal_attribute_service(hal_dice, hal_dice_service) -binder_call(hal_dice_server, servicemanager) diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts index 002fb14f5..533814cd1 100644 --- a/microdroid/vendor/file_contexts +++ b/microdroid/vendor/file_contexts @@ -3,6 +3,3 @@ # (/.*)? u:object_r:vendor_file:s0 /etc(/.*)? u:object_r:vendor_configs_file:s0 - -# HAL location -/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0 diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te deleted file mode 100644 index 9fbf90d13..000000000 --- a/microdroid/vendor/hal_dice_default.te +++ /dev/null @@ -1,14 +0,0 @@ -type hal_dice_default, domain; -hal_server_domain(hal_dice_default, hal_dice) - -# Block crash dumps to ensure the DICE secrets are not leaked. -typeattribute hal_dice_default no_crash_dump_domain; - -type hal_dice_default_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_dice_default) - -# hal_dice_default is using bootstrap bionic -use_bootstrap_libs(hal_dice_default) - -allow hal_dice_default sysfs_dt_avf:file r_file_perms; -allow hal_dice_default open_dice_device:chr_file rw_file_perms;