From 59c970703b59dc316030d93f83ffdbdda029d7d8 Mon Sep 17 00:00:00 2001
From: Shikha Panwar <shikhapanwar@google.com>
Date: Tue, 22 Aug 2023 00:15:39 +0000
Subject: [PATCH] Secretkeeper/Sepolicy: Create required domains

Add sepolicies rules for Secretkeeper HAL & nonsecure service
implementing the AIDL.

Test: atest VtsHalSkTargetTest & check for Selinux denials
Bug: 293429085
Change-Id: I907cf326e48e4dc180aa0d30e644416d4936ff78
---
 build/soong/service_fuzzer_bindings.go | 1 +
 private/compat/34.0/34.0.ignore.cil    | 1 +
 private/service_contexts               | 1 +
 public/attributes                      | 1 +
 public/dumpstate.te                    | 1 +
 public/hal_secretkeeper.te             | 8 ++++++++
 public/service.te                      | 1 +
 public/su.te                           | 1 +
 vendor/file_contexts                   | 1 +
 vendor/hal_secretkeeper_default.te     | 5 +++++
 10 files changed, 21 insertions(+)
 create mode 100644 public/hal_secretkeeper.te
 create mode 100644 vendor/hal_secretkeeper_default.te

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 008e44300..71023508f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -119,6 +119,7 @@ var (
 		"android.hardware.security.dice.IDiceDevice/default":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IKeyMintDevice/default":                EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+		"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure":          EXCEPTION_NO_FUZZER,
 		"android.hardware.security.secureclock.ISecureClock/default":              EXCEPTION_NO_FUZZER,
 		"android.hardware.security.sharedsecret.ISharedSecret/default":            EXCEPTION_NO_FUZZER,
 		"android.hardware.sensors.ISensors/default":                               EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ddaa7e2a4..df907567e 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -10,6 +10,7 @@
     ota_build_prop
     snapuserd_log_data_file
     hal_authgraph_service
+    hal_secretkeeper_service
     vibrator_control_service
     hal_codec2_service
     hal_macsec_service
diff --git a/private/service_contexts b/private/service_contexts
index a803d515c..f6f135ffe 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -122,6 +122,7 @@ android.hardware.secure_element.ISecureElement/eSE3                  u:object_r:
 android.hardware.secure_element.ISecureElement/SIM1                  u:object_r:hal_secure_element_service:s0
 android.hardware.secure_element.ISecureElement/SIM2                  u:object_r:hal_secure_element_service:s0
 android.hardware.secure_element.ISecureElement/SIM3                  u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/nonsecure       u:object_r:hal_secretkeeper_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 android.system.net.netd.INetd/default                                u:object_r:system_net_netd_service:s0
 android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0
diff --git a/public/attributes b/public/attributes
index fa47b25f9..892d650bf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -376,6 +376,7 @@ hal_attribute(power);
 hal_attribute(power_stats);
 hal_attribute(rebootescrow);
 hal_attribute(remoteaccess);
+hal_attribute(secretkeeper);
 hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 496d95974..549e6c63e 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -178,6 +178,7 @@ dump_hal(hal_oemlock)
 dump_hal(hal_power)
 dump_hal(hal_power_stats)
 dump_hal(hal_rebootescrow)
+dump_hal(hal_secretkeeper)
 dump_hal(hal_sensors)
 dump_hal(hal_thermal)
 dump_hal(hal_vehicle)
diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te
new file mode 100644
index 000000000..809ed77c5
--- /dev/null
+++ b/public/hal_secretkeeper.te
@@ -0,0 +1,8 @@
+# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
+# storage of secrets guarded by DICE policies.
+binder_call(hal_secretkeeper_client, hal_secretkeeper_server)
+
+hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)
+
+binder_use(hal_secretkeeper_server)
+binder_use(hal_secretkeeper_client)
diff --git a/public/service.te b/public/service.te
index a208dcf24..ecacc9dee 100644
--- a/public/service.te
+++ b/public/service.te
@@ -321,6 +321,7 @@ type hal_rebootescrow_service, protected_service, hal_service_type, service_mana
 type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
 type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;
 type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
 type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
 type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 28877409c..a893cdbc6 100644
--- a/public/su.te
+++ b/public/su.te
@@ -90,6 +90,7 @@ userdebug_or_eng(`
   typeattribute su hal_oemlock_client;
   typeattribute su hal_power_client;
   typeattribute su hal_rebootescrow_client;
+  typeattribute su hal_secretkeeper_client;
   typeattribute su hal_secure_element_client;
   typeattribute su hal_sensors_client;
   typeattribute su hal_telephony_client;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 28613c9f0..adbb2e7e7 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -100,6 +100,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure    u:object_r:hal_authgraph_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.secretkeeper-service.nonsecure       u:object_r:hal_secretkeeper_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
diff --git a/vendor/hal_secretkeeper_default.te b/vendor/hal_secretkeeper_default.te
new file mode 100644
index 000000000..50f4ac184
--- /dev/null
+++ b/vendor/hal_secretkeeper_default.te
@@ -0,0 +1,5 @@
+type hal_secretkeeper_default, domain;
+hal_server_domain(hal_secretkeeper_default, hal_secretkeeper)
+
+type hal_secretkeeper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secretkeeper_default)