Merge "Add permissions for remote_provisioning service" am: 61d823f9c7 am: aeaf422fe5 am: e3df03bc24

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2263548 Change-Id: I160a31da6e765e050c0278b8851a4f241619a951 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-12-07 18:57:57 +00:00 · 2022-12-07 18:57:57 +00:00 · 8696a544e8
commit 8696a544e8
parent 0d9d21373c e3df03bc24
8 changed files with 13 additions and 0 deletions
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -341,6 +341,7 @@ var (
 		"rcs":                          EXCEPTION_NO_FUZZER,
 		"reboot_readiness":             EXCEPTION_NO_FUZZER,
 		"recovery":                     EXCEPTION_NO_FUZZER,
+		"remote_provisioning":          EXCEPTION_NO_FUZZER,
 		"resolver":                     EXCEPTION_NO_FUZZER,
 		"resources":                    EXCEPTION_NO_FUZZER,
 		"restrictions":                 EXCEPTION_NO_FUZZER,
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -29,6 +29,7 @@
    ntfs
    permissive_mte_prop
    prng_seeder
+    remote_provisioning_service
    rkpdapp
    servicemanager_prop
    system_net_netd_service
--- a/private/service_contexts
+++ b/private/service_contexts
@ -319,6 +319,7 @@ radio.sms                                 u:object_r:radio_service:s0
 rcs                                       u:object_r:radio_service:s0
 reboot_readiness                          u:object_r:reboot_readiness_service:s0
 recovery                                  u:object_r:recovery_service:s0
+remote_provisioning                       u:object_r:remote_provisioning_service:s0
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -5,6 +5,7 @@

 typeattribute system_server coredomain;
 typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;
--- a/public/attributes
+++ b/public/attributes
@ -399,6 +399,7 @@ attribute automotive_display_service_server;
 attribute camera_service_server;
 attribute display_service_server;
 attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
--- a/public/keystore.te
+++ b/public/keystore.te
@ -5,6 +5,7 @@ type keystore_exec, system_file_type, exec_type, file_type;
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)

@ -17,6 +18,7 @@ add_service(keystore, remotelyprovisionedkeypool_service)
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
--- a/public/remote_provisioning_service_server.te
+++ b/public/remote_provisioning_service_server.te
@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)
--- a/public/service.te
+++ b/public/service.te
@ -194,6 +194,7 @@ type procstats_service, app_api_service, ephemeral_app_api_service, system_serve
 type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
 type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
 type resources_manager_service, system_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;