Add new appdomain for RKPD mainline app

This app talks to the remote provisioning HALs, and therefore requires access to the tee_device domain. Bug: 254112668 Test: Manually verify rkpd can run and find remote provisioning hals Change-Id: I876b0890f3d4e8956406d73e956084b99488ce56
2022-10-28 13:46:16 -07:00 · 2022-10-28 13:46:16 -07:00 · 71fa94edae
commit 71fa94edae
parent f4ab6c9f3c
5 changed files with 29 additions and 0 deletions
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -27,6 +27,7 @@
    ntfs
    permissive_mte_prop
    prng_seeder
+    rkpdapp
    servicemanager_prop
    system_net_netd_service
    timezone_metadata_prop
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@ -0,0 +1,20 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+typeattribute rkpdapp coredomain;
+
+app_domain(rkpdapp)
+
+# RKPD needs to be able to call the remote provisioning HALs
+hal_client_domain(rkpdapp, hal_keymint)
+
+# Grant access to certain system properties related to RKP
+get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+
+# Grant access to the normal services that are available to all apps
+allow rkpdapp app_api_service:service_manager find;
+
+# Grant access to statsd
+allow rkpdapp statsmanager_service:service_manager find;
+binder_call(rkpdapp, statsd)
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@ -164,6 +164,7 @@ user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module do
 user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
 user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
--- a/private/stats.te
+++ b/private/stats.te
@ -47,6 +47,7 @@ neverallow {
  -mediametrics
  -platform_app
  -priv_app
+  -rkpdapp
  -shell
  -stats
  -statsd
--- a/public/rkpd_app.te
+++ b/public/rkpd_app.te
@ -0,0 +1,6 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+
+type rkpdapp, domain;