From 3accea479aa4797165b310e5e07aa8a34919485a Mon Sep 17 00:00:00 2001
From: Seth Moore <sethmo@google.com>
Date: Thu, 20 Oct 2022 14:09:11 -0700
Subject: [PATCH] Add permissions for remote_provisioning service

Bug: 254112668
Test: manual + presubmit
Change-Id: I54d56c34ad4a8199b8aa005742faf9e1e12583c3
---
 build/soong/service_fuzzer_bindings.go       | 1 +
 private/compat/33.0/33.0.ignore.cil          | 1 +
 private/service_contexts                     | 1 +
 private/system_server.te                     | 1 +
 public/attributes                            | 1 +
 public/keystore.te                           | 2 ++
 public/remote_provisioning_service_server.te | 5 +++++
 public/service.te                            | 1 +
 8 files changed, 13 insertions(+)
 create mode 100644 public/remote_provisioning_service_server.te

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 72f48041e..c4a74b60d 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -341,6 +341,7 @@ var (
 		"rcs":                          EXCEPTION_NO_FUZZER,
 		"reboot_readiness":             EXCEPTION_NO_FUZZER,
 		"recovery":                     EXCEPTION_NO_FUZZER,
+		"remote_provisioning":          EXCEPTION_NO_FUZZER,
 		"resolver":                     EXCEPTION_NO_FUZZER,
 		"resources":                    EXCEPTION_NO_FUZZER,
 		"restrictions":                 EXCEPTION_NO_FUZZER,
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 45bca3d54..786dc1440 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -29,6 +29,7 @@
     ntfs
     permissive_mte_prop
     prng_seeder
+    remote_provisioning_service
     rkpdapp
     servicemanager_prop
     system_net_netd_service
diff --git a/private/service_contexts b/private/service_contexts
index ecd1f440b..6dfc5a728 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -319,6 +319,7 @@ radio.sms                                 u:object_r:radio_service:s0
 rcs                                       u:object_r:radio_service:s0
 reboot_readiness                          u:object_r:reboot_readiness_service:s0
 recovery                                  u:object_r:recovery_service:s0
+remote_provisioning                       u:object_r:remote_provisioning_service:s0
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 3a7dd8a9b..a967dcfc2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
 
 typeattribute system_server coredomain;
 typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;
diff --git a/public/attributes b/public/attributes
index ae610e64e..04788748f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -399,6 +399,7 @@ attribute automotive_display_service_server;
 attribute camera_service_server;
 attribute display_service_server;
 attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
diff --git a/public/keystore.te b/public/keystore.te
index 8ac503e62..4cef1753f 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -5,6 +5,7 @@ type keystore_exec, system_file_type, exec_type, file_type;
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)
 
@@ -17,6 +18,7 @@ add_service(keystore, remotelyprovisionedkeypool_service)
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 000000000..710b43d42
--- /dev/null
+++ b/public/remote_provisioning_service_server.te
@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)
diff --git a/public/service.te b/public/service.te
index 9ca96bd74..819498c05 100644
--- a/public/service.te
+++ b/public/service.te
@@ -194,6 +194,7 @@ type procstats_service, app_api_service, ephemeral_app_api_service, system_serve
 type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
 type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
 type resources_manager_service, system_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;