Secretkeeper/Sepolicy: Create required domains
Add sepolicies rules for Secretkeeper HAL & nonsecure service implementing the AIDL. Test: atest VtsHalSkTargetTest & check for Selinux denials Bug: 293429085 Change-Id: I907cf326e48e4dc180aa0d30e644416d4936ff78
This commit is contained in:
parent
4b16e566e1
commit
59c970703b
10 changed files with 21 additions and 0 deletions
|
@ -119,6 +119,7 @@ var (
|
|||
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
|
||||
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
|
||||
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
|
||||
"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER,
|
||||
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
|
||||
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
|
||||
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
ota_build_prop
|
||||
snapuserd_log_data_file
|
||||
hal_authgraph_service
|
||||
hal_secretkeeper_service
|
||||
vibrator_control_service
|
||||
hal_codec2_service
|
||||
hal_macsec_service
|
||||
|
|
|
@ -122,6 +122,7 @@ android.hardware.secure_element.ISecureElement/eSE3 u:object_r:
|
|||
android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
|
||||
android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
|
||||
android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
|
||||
android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0
|
||||
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
|
||||
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
|
||||
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
|
||||
|
|
|
@ -376,6 +376,7 @@ hal_attribute(power);
|
|||
hal_attribute(power_stats);
|
||||
hal_attribute(rebootescrow);
|
||||
hal_attribute(remoteaccess);
|
||||
hal_attribute(secretkeeper);
|
||||
hal_attribute(secure_element);
|
||||
hal_attribute(sensors);
|
||||
hal_attribute(telephony);
|
||||
|
|
|
@ -178,6 +178,7 @@ dump_hal(hal_oemlock)
|
|||
dump_hal(hal_power)
|
||||
dump_hal(hal_power_stats)
|
||||
dump_hal(hal_rebootescrow)
|
||||
dump_hal(hal_secretkeeper)
|
||||
dump_hal(hal_sensors)
|
||||
dump_hal(hal_thermal)
|
||||
dump_hal(hal_vehicle)
|
||||
|
|
8
public/hal_secretkeeper.te
Normal file
8
public/hal_secretkeeper.te
Normal file
|
@ -0,0 +1,8 @@
|
|||
# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
|
||||
# storage of secrets guarded by DICE policies.
|
||||
binder_call(hal_secretkeeper_client, hal_secretkeeper_server)
|
||||
|
||||
hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)
|
||||
|
||||
binder_use(hal_secretkeeper_server)
|
||||
binder_use(hal_secretkeeper_client)
|
|
@ -321,6 +321,7 @@ type hal_rebootescrow_service, protected_service, hal_service_type, service_mana
|
|||
type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
|
||||
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
|
||||
|
|
|
@ -90,6 +90,7 @@ userdebug_or_eng(`
|
|||
typeattribute su hal_oemlock_client;
|
||||
typeattribute su hal_power_client;
|
||||
typeattribute su hal_rebootescrow_client;
|
||||
typeattribute su hal_secretkeeper_client;
|
||||
typeattribute su hal_secure_element_client;
|
||||
typeattribute su hal_sensors_client;
|
||||
typeattribute su hal_telephony_client;
|
||||
|
|
1
vendor/file_contexts
vendored
1
vendor/file_contexts
vendored
|
@ -100,6 +100,7 @@
|
|||
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.secretkeeper-service.nonsecure u:object_r:hal_secretkeeper_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
|
||||
|
|
5
vendor/hal_secretkeeper_default.te
vendored
Normal file
5
vendor/hal_secretkeeper_default.te
vendored
Normal file
|
@ -0,0 +1,5 @@
|
|||
type hal_secretkeeper_default, domain;
|
||||
hal_server_domain(hal_secretkeeper_default, hal_secretkeeper)
|
||||
|
||||
type hal_secretkeeper_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_secretkeeper_default)
|
Loading…
Reference in a new issue