Merge "Allow shell to call IRemotelyProvisionedComponent"
This commit is contained in:
Max Bires
Gerrit Code Review
commit
37992dce8d
2 changed files with 14 additions and 0 deletions
|
|
@ -184,6 +184,9 @@ get_prop(shell, bootloader_boot_reason_prop)
|
|||
get_prop(shell, last_boot_reason_prop)
|
||||
get_prop(shell, system_boot_reason_prop)
|
||||
|
||||
# Allow shell to execute the remote key provisioning factory tool
|
||||
binder_call(shell, hal_keymint)
|
||||
|
||||
# Allow reading the outcome of perf_event_open LSM support test for CTS.
|
||||
get_prop(shell, init_perf_lsm_hooks_prop)
|
||||
|
||||
|
|
|
|||
|
|
@ -81,6 +81,9 @@ allow shell {
|
|||
-apex_service
|
||||
-dnsresolver_service
|
||||
-gatekeeper_service
|
||||
-hal_keymint_service
|
||||
-hal_secureclock_service
|
||||
-hal_sharedsecret_service
|
||||
-incident_service
|
||||
-installd_service
|
||||
-mdns_service
|
||||
|
|
@ -196,6 +199,14 @@ recovery_only(`
|
|||
### Neverallow rules
|
||||
###
|
||||
|
||||
# Do not allow shell to talk directly to security HAL services other than
|
||||
# hal_remotelyprovisionedcomponent_service
|
||||
neverallow shell {
|
||||
hal_keymint_service
|
||||
hal_secureclock_service
|
||||
hal_sharedsecret_service
|
||||
}:service_manager find;
|
||||
|
||||
# Do not allow shell to hard link to any files.
|
||||
# In particular, if shell hard links to app data
|
||||
# files, installd will not be able to guarantee the deletion
|
||||
|
|
|
|||
Loading…
Reference in a new issue