diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index 5398f6d1b..bd945e2a2 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -119,6 +119,7 @@ var ( "android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER, "android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER, "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER, + "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER, "android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER, "android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER, "android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER, diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil index 5587d8d00..e3b9ba9c3 100644 --- a/private/compat/34.0/34.0.ignore.cil +++ b/private/compat/34.0/34.0.ignore.cil @@ -10,6 +10,7 @@ ota_build_prop snapuserd_log_data_file hal_authgraph_service + hal_secretkeeper_service vibrator_control_service hal_codec2_service hal_macsec_service diff --git a/private/service_contexts b/private/service_contexts index c269196ce..d1662e4cf 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -122,6 +122,7 @@ android.hardware.secure_element.ISecureElement/eSE3 u:object_r: android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0 android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0 android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0 +android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0 android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0 android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0 android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0 diff --git a/public/attributes b/public/attributes index fa47b25f9..892d650bf 100644 --- a/public/attributes +++ b/public/attributes @@ -376,6 +376,7 @@ hal_attribute(power); hal_attribute(power_stats); hal_attribute(rebootescrow); hal_attribute(remoteaccess); +hal_attribute(secretkeeper); hal_attribute(secure_element); hal_attribute(sensors); hal_attribute(telephony); diff --git a/public/dumpstate.te b/public/dumpstate.te index 496d95974..549e6c63e 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -178,6 +178,7 @@ dump_hal(hal_oemlock) dump_hal(hal_power) dump_hal(hal_power_stats) dump_hal(hal_rebootescrow) +dump_hal(hal_secretkeeper) dump_hal(hal_sensors) dump_hal(hal_thermal) dump_hal(hal_vehicle) diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te new file mode 100644 index 000000000..809ed77c5 --- /dev/null +++ b/public/hal_secretkeeper.te @@ -0,0 +1,8 @@ +# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected) +# storage of secrets guarded by DICE policies. +binder_call(hal_secretkeeper_client, hal_secretkeeper_server) + +hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service) + +binder_use(hal_secretkeeper_server) +binder_use(hal_secretkeeper_client) diff --git a/public/service.te b/public/service.te index 11894aa9b..62b473bdd 100644 --- a/public/service.te +++ b/public/service.te @@ -322,6 +322,7 @@ type hal_rebootescrow_service, protected_service, hal_service_type, service_mana type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type; type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type; type hal_sensors_service, protected_service, hal_service_type, service_manager_type; +type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type; type hal_secureclock_service, protected_service, hal_service_type, service_manager_type; type hal_secure_element_service, protected_service, hal_service_type, service_manager_type; type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type; diff --git a/public/su.te b/public/su.te index 28877409c..a893cdbc6 100644 --- a/public/su.te +++ b/public/su.te @@ -90,6 +90,7 @@ userdebug_or_eng(` typeattribute su hal_oemlock_client; typeattribute su hal_power_client; typeattribute su hal_rebootescrow_client; + typeattribute su hal_secretkeeper_client; typeattribute su hal_secure_element_client; typeattribute su hal_sensors_client; typeattribute su hal_telephony_client; diff --git a/vendor/file_contexts b/vendor/file_contexts index 14885724a..1fb13d625 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -100,6 +100,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.secretkeeper-service.nonsecure u:object_r:hal_secretkeeper_default_exec:s0 /(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0 diff --git a/vendor/hal_secretkeeper_default.te b/vendor/hal_secretkeeper_default.te new file mode 100644 index 000000000..50f4ac184 --- /dev/null +++ b/vendor/hal_secretkeeper_default.te @@ -0,0 +1,5 @@ +type hal_secretkeeper_default, domain; +hal_server_domain(hal_secretkeeper_default, hal_secretkeeper) + +type hal_secretkeeper_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secretkeeper_default)