Merge "Allow for ISecretkeeper/default" into main am: 3f63eead74 am: 98c169553f

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829790 Change-Id: Id99c48801738b853484427d99ece5d44d1e2f2bb Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-12-06 12:12:10 +00:00 · 2023-12-06 12:12:10 +00:00 · 42207db4cf
commit 42207db4cf
parent 0527c02fb0 98c169553f
3 changed files with 6 additions and 0 deletions
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -120,6 +120,7 @@ var (
 		"android.hardware.security.dice.IDiceDevice/default":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IKeyMintDevice/default":                EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+		"android.hardware.security.secretkeeper.ISecretkeeper/default":            EXCEPTION_NO_FUZZER,
 		"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure":          EXCEPTION_NO_FUZZER,
 		"android.hardware.security.secureclock.ISecureClock/default":              EXCEPTION_NO_FUZZER,
 		"android.hardware.security.sharedsecret.ISharedSecret/default":            EXCEPTION_NO_FUZZER,
--- a/private/service_contexts
+++ b/private/service_contexts
@ -125,6 +125,7 @@ android.hardware.secure_element.ISecureElement/eSE3                  u:object_r:
 android.hardware.secure_element.ISecureElement/SIM1                  u:object_r:hal_secure_element_service:s0
 android.hardware.secure_element.ISecureElement/SIM2                  u:object_r:hal_secure_element_service:s0
 android.hardware.secure_element.ISecureElement/SIM3                  u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/default         u:object_r:hal_secretkeeper_service:s0
 android.hardware.security.secretkeeper.ISecretkeeper/nonsecure       u:object_r:hal_secretkeeper_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 android.system.net.netd.INetd/default                                u:object_r:system_net_netd_service:s0
--- a/public/hal_secretkeeper.te
+++ b/public/hal_secretkeeper.te
@ -6,3 +6,7 @@ hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)

 binder_use(hal_secretkeeper_server)
 binder_use(hal_secretkeeper_client)
+
+# The Secretkeeper HAL service needs to communicate with a trusted application running
+# in the TEE, which is represented by the tee_device permission.
+allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;