Diced: Add policy for diced the DICE daemon.

Bug: 198197213 Test: N/A Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d
2021-11-09 17:49:02 -08:00 · 2021-11-09 17:49:02 -08:00 · 2b6c6063ae
commit 2b6c6063ae
parent 8797f5841c
10 changed files with 43 additions and 0 deletions
--- a/private/access_vectors
+++ b/private/access_vectors
@ -749,6 +749,16 @@ class keystore2_key
 	use_dev_id
 }

+class diced
+{
+	demote
+	demote_self
+	derive
+	get_attestation_chain
+	use_seal
+	use_sign
+}
+
 class drmservice {
 	consumeRights
 	setPlaybackStatus
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@ -9,6 +9,10 @@
    attestation_verification_service
    camera2_extensions_prop
    device_config_nnapi_native_prop
+    dice_maintenance_service
+    dice_node_service
+    diced
+    diced_exec
    extra_free_kbytes
    extra_free_kbytes_exec
    hal_contexthub_service
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@ -8,6 +8,7 @@ allow crash_dump {
  -apexd
  -bpfloader
  -crash_dump
+  -diced
  -init
  -kernel
  -keystore
@ -40,6 +41,7 @@ neverallow crash_dump {
  apexd
  userdebug_or_eng(`-apexd')
  bpfloader
+  diced
  init
  kernel
  keystore
--- a/private/diced.te
+++ b/private/diced.te
@ -0,0 +1,7 @@
+typeattribute diced coredomain;
+
+init_daemon_domain(diced)
+
+# Talk to dice HAL.
+# TODO uncomment when implemented.
+# hal_client_domain(diced, hal_dice)
--- a/private/file_contexts
+++ b/private/file_contexts
@ -270,6 +270,7 @@
 /system/bin/credstore	u:object_r:credstore_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
 /system/bin/keystore2	u:object_r:keystore_exec:s0
+/system/bin/diced      u:object_r:diced_exec:s0
 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/tombstoned u:object_r:tombstoned_exec:s0
--- a/private/llkd.te
+++ b/private/llkd.te
@ -23,6 +23,7 @@ userdebug_or_eng(`
  allow llkd {
    domain
    -apexd
+    -diced
    -kernel
    -keystore
    -init
--- a/private/security_classes
+++ b/private/security_classes
@ -163,5 +163,8 @@ class keystore2                 # userspace
 # Keystore 2.0 key permissions
 class keystore2_key             # userspace

+# Diced permissions
+class diced                     # userspace
+
 class drmservice                # userspace
 # FLASK
--- a/private/service_contexts
+++ b/private/service_contexts
@ -65,6 +65,8 @@ android.os.UpdateEngineStableService      u:object_r:update_engine_stable_servic
 android.security.apc                      u:object_r:apc_service:s0
 android.security.authorization            u:object_r:authorization_service:s0
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance    u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode           u:object_r:dice_node_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.security.legacykeystore           u:object_r:legacykeystore_service:s0
--- a/public/diced.te
+++ b/public/diced.te
@ -0,0 +1,11 @@
+type diced, domain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+binder_use(diced)
+binder_service(diced)
+
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# Check SELinux permissions.
+selinux_check_access(diced)
--- a/public/service.te
+++ b/public/service.te
@ -8,6 +8,8 @@ type batteryproperties_service, app_api_service, ephemeral_app_api_service, serv
 type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
+type dice_maintenance_service,  service_manager_type;
+type dice_node_service,         service_manager_type;
 type dnsresolver_service,       service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;