Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" am: e79bbf9cf8

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2828234

Change-Id: Icf926e78100ec48014ca24e6a51b51c5ea93f7c1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

build/soong/service_fuzzer_bindings.go

@@ -178,6 +178,7 @@ var (
 		"android.service.gatekeeper.IGateKeeperService":                   []string{"gatekeeperd_service_fuzzer"},
 		"android.system.composd":                                          EXCEPTION_NO_FUZZER,
 		// TODO(b/294158658): add fuzzer
+		"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice":                            EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice_internal.IVfioHandler":      EXCEPTION_NO_FUZZER,
 		"ambient_context":                                                 EXCEPTION_NO_FUZZER,

private/compat/34.0/34.0.ignore.cil

@@ -14,6 +14,7 @@
     hal_secretkeeper_service
     hal_codec2_service
     hal_macsec_service
+    hal_remotelyprovisionedcomponent_avf_service
     hal_threadnetwork_service
     virtual_camera_service
     ot_daemon_service

private/keystore.te

@@ -11,6 +11,11 @@ hal_client_domain(keystore, hal_confirmationui)
 # talk to keymint
 hal_client_domain(keystore, hal_keymint)
 
+# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
+# access it.
+# TODO(b/312427637): Investigate the reason and fix the denial.
+dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
+
 # This is used for the ConfirmationUI async callback.
 allow keystore platform_app:binder call;
 

private/rkpd_app.te

@@ -9,6 +9,7 @@ net_domain(rkpdapp)
 
 # RKPD needs to be able to call the remote provisioning HALs
 hal_client_domain(rkpdapp, hal_keymint)
+hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
 
 # Grant access to certain system properties related to RKP
 get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)

private/service_contexts

@@ -94,6 +94,7 @@ android.hardware.rebootescrow.IRebootEscrow/default                  u:object_r:
 android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure  u:object_r:hal_authgraph_service:s0
 android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/avf     u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
 android.hardware.gatekeeper.IGatekeeper/default                      u:object_r:hal_gatekeeper_service:s0
 android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
 android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0

private/system_server.te

@@ -330,6 +330,7 @@ hal_client_domain(system_server, hal_omx)
 hal_client_domain(system_server, hal_power)
 hal_client_domain(system_server, hal_power_stats)
 hal_client_domain(system_server, hal_rebootescrow)
+hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
 hal_client_domain(system_server, hal_sensors)
 hal_client_domain(system_server, hal_tetheroffload)
 hal_client_domain(system_server, hal_thermal)

private/virtualizationservice.te

@@ -21,6 +21,10 @@ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     binder_call(virtualizationservice, vfio_handler)
 ')
 
+# Allow the virtualizationservice domain to serve a remotely provisioned component for
+# pVM remote attestation.
+hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
+
 # Allow calling into the system server to find "permission_service".
 binder_call(virtualizationservice, system_server)
 allow virtualizationservice permission_service:service_manager find;

public/attributes

@@ -377,6 +377,7 @@ hal_attribute(power_stats);
 hal_attribute(rebootescrow);
 hal_attribute(remoteaccess);
 hal_attribute(secretkeeper);
+hal_attribute(remotelyprovisionedcomponent_avf);
 hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);

public/hal_remotelyprovisionedcomponent_avf.te

@@ -0,0 +1,8 @@
+# allow binder connection from client to server
+binder_call(hal_remotelyprovisionedcomponent_avf_client, hal_remotelyprovisionedcomponent_avf_server)
+
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_remotelyprovisionedcomponent_avf, hal_remotelyprovisionedcomponent_avf_service)
+
+# allow binder communication from server to service_manager
+binder_use(hal_remotelyprovisionedcomponent_avf_server)

public/service.te

@@ -320,6 +320,7 @@ type hal_power_stats_service, protected_service, hal_service_type, service_manag
 type hal_radio_service, protected_service, hal_service_type, service_manager_type;
 type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
 type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_avf_service, protected_service, hal_service_type, service_manager_type;
 type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
 type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;