Remove keystore from microdroid sepolicy am: f75d5cde48
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1964119 Change-Id: I36f1a90ae0c82476a6bce62e7ede4daeca42448c
This commit is contained in:
Andrew Scull
Automerger Merge Worker
commit
9201c5228b
23 changed files with 1 additions and 265 deletions
|
|
@ -288,11 +288,3 @@ prebuilt_etc {
|
|||
relative_install_path: "selinux",
|
||||
installable: false,
|
||||
}
|
||||
|
||||
prebuilt_etc {
|
||||
name: "microdroid_keystore2_key_contexts",
|
||||
filename: "plat_keystore2_key_contexts",
|
||||
src: "system/private/keystore2_key_contexts",
|
||||
relative_install_path: "selinux",
|
||||
installable: false,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -691,61 +691,6 @@ class hwservice_manager
|
|||
list
|
||||
}
|
||||
|
||||
class keystore_key
|
||||
{
|
||||
get_state
|
||||
get
|
||||
insert
|
||||
delete
|
||||
exist
|
||||
list
|
||||
reset
|
||||
password
|
||||
lock
|
||||
unlock
|
||||
is_empty
|
||||
sign
|
||||
verify
|
||||
grant
|
||||
duplicate
|
||||
clear_uid
|
||||
add_auth
|
||||
user_changed
|
||||
gen_unique_id
|
||||
}
|
||||
|
||||
class keystore2
|
||||
{
|
||||
add_auth
|
||||
change_password
|
||||
change_user
|
||||
clear_ns
|
||||
clear_uid
|
||||
early_boot_ended
|
||||
get_auth_token
|
||||
get_state
|
||||
list
|
||||
lock
|
||||
report_off_body
|
||||
reset
|
||||
unlock
|
||||
}
|
||||
|
||||
class keystore2_key
|
||||
{
|
||||
convert_storage_key_to_ephemeral
|
||||
delete
|
||||
gen_unique_id
|
||||
get_info
|
||||
grant
|
||||
manage_blob
|
||||
rebind
|
||||
req_forced_op
|
||||
update
|
||||
use
|
||||
use_dev_id
|
||||
}
|
||||
|
||||
class drmservice {
|
||||
consumeRights
|
||||
setPlaybackStatus
|
||||
|
|
|
|||
|
|
@ -154,14 +154,5 @@ class service_manager # userspace
|
|||
# hardware service manager # userspace
|
||||
class hwservice_manager
|
||||
|
||||
# Legacy Keystore key permissions
|
||||
class keystore_key # userspace
|
||||
|
||||
# Keystore 2.0 permissions
|
||||
class keystore2 # userspace
|
||||
|
||||
# Keystore 2.0 key permissions
|
||||
class keystore2_key # userspace
|
||||
|
||||
class drmservice # userspace
|
||||
# FLASK
|
||||
|
|
|
|||
|
|
@ -691,61 +691,6 @@ class hwservice_manager
|
|||
list
|
||||
}
|
||||
|
||||
class keystore_key
|
||||
{
|
||||
get_state
|
||||
get
|
||||
insert
|
||||
delete
|
||||
exist
|
||||
list
|
||||
reset
|
||||
password
|
||||
lock
|
||||
unlock
|
||||
is_empty
|
||||
sign
|
||||
verify
|
||||
grant
|
||||
duplicate
|
||||
clear_uid
|
||||
add_auth
|
||||
user_changed
|
||||
gen_unique_id
|
||||
}
|
||||
|
||||
class keystore2
|
||||
{
|
||||
add_auth
|
||||
change_password
|
||||
change_user
|
||||
clear_ns
|
||||
clear_uid
|
||||
early_boot_ended
|
||||
get_auth_token
|
||||
get_state
|
||||
list
|
||||
lock
|
||||
report_off_body
|
||||
reset
|
||||
unlock
|
||||
}
|
||||
|
||||
class keystore2_key
|
||||
{
|
||||
convert_storage_key_to_ephemeral
|
||||
delete
|
||||
gen_unique_id
|
||||
get_info
|
||||
grant
|
||||
manage_blob
|
||||
rebind
|
||||
req_forced_op
|
||||
update
|
||||
use
|
||||
use_dev_id
|
||||
}
|
||||
|
||||
class diced
|
||||
{
|
||||
demote
|
||||
|
|
|
|||
|
|
@ -1,5 +0,0 @@
|
|||
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
allow binderservicedomain keystore:keystore2 { get_state };
|
||||
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
|
||||
|
||||
use_keystore(binderservicedomain)
|
||||
|
|
@ -56,7 +56,6 @@ allow crash_dump {
|
|||
-crash_dump
|
||||
-init
|
||||
-kernel
|
||||
-keystore
|
||||
-logd
|
||||
-ueventd
|
||||
-vendor_init
|
||||
|
|
@ -65,7 +64,6 @@ allow crash_dump {
|
|||
userdebug_or_eng(`
|
||||
allow crash_dump {
|
||||
apexd
|
||||
keystore
|
||||
logd
|
||||
}:process { ptrace signal sigchld sigstop sigkill };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -111,7 +111,6 @@
|
|||
/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
|
||||
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
|
||||
/system/bin/init u:object_r:init_exec:s0
|
||||
/system/bin/keystore2 u:object_r:keystore_exec:s0
|
||||
/system/bin/logcat -- u:object_r:logcat_exec:s0
|
||||
/system/bin/logd u:object_r:logd_exec:s0
|
||||
/system/bin/run-as -- u:object_r:runas_exec:s0
|
||||
|
|
@ -138,7 +137,6 @@
|
|||
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
|
||||
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
|
||||
|
|
@ -165,7 +163,6 @@
|
|||
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
|
||||
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
|
||||
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
|
||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||
/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
|
||||
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
|
||||
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
|
||||
|
|
|
|||
|
|
@ -171,7 +171,6 @@ allow init {
|
|||
allow init {
|
||||
file_type
|
||||
-exec_type
|
||||
-keystore_data_file
|
||||
-shell_data_file
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
|
|
@ -181,7 +180,6 @@ allow init {
|
|||
file_type
|
||||
-apex_info_file
|
||||
-exec_type
|
||||
-keystore_data_file
|
||||
-runtime_event_log_tags_file
|
||||
-shell_data_file
|
||||
-system_file_type
|
||||
|
|
@ -193,7 +191,6 @@ allow init tracefs_type:file { create_file_perms relabelfrom };
|
|||
allow init {
|
||||
file_type
|
||||
-exec_type
|
||||
-keystore_data_file
|
||||
-shell_data_file
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
|
|
@ -203,7 +200,6 @@ allow init {
|
|||
file_type
|
||||
-apex_mnt_dir
|
||||
-exec_type
|
||||
-keystore_data_file
|
||||
-shell_data_file
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
|
|
@ -356,11 +352,6 @@ allow init self:global_capability_class_set sys_boot;
|
|||
allow init self:global_capability_class_set kill;
|
||||
allow init domain:process { getpgid sigkill signal };
|
||||
|
||||
# Init creates keystore's directory on boot, and walks through
|
||||
# the directory as part of a recursive restorecon.
|
||||
allow init keystore_data_file:dir { open create read getattr setattr search };
|
||||
allow init keystore_data_file:file { getattr };
|
||||
|
||||
# Init creates /data/local/tmp at boot
|
||||
allow init shell_data_file:dir { open create read getattr setattr search };
|
||||
allow init shell_data_file:file { getattr };
|
||||
|
|
|
|||
|
|
@ -1,20 +0,0 @@
|
|||
typeattribute keystore coredomain;
|
||||
|
||||
init_daemon_domain(keystore)
|
||||
|
||||
# talk to keymint
|
||||
hal_client_domain(keystore, hal_keymint)
|
||||
|
||||
# Allow keystore to write to statsd.
|
||||
unix_socket_send(keystore, statsdw, statsd)
|
||||
|
||||
# Keystore need access to the keystore_key context files to load the keystore key backend.
|
||||
allow keystore keystore2_key_contexts_file:file r_file_perms;
|
||||
|
||||
# microdroid doesn't use keymaster HAL
|
||||
dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
|
||||
|
||||
# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
|
||||
dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
|
||||
|
||||
set_prop(keystore, keystore_crash_prop)
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
# Keystore 2.0 key contexts.
|
||||
# This file defines Keystore 2.0 namespaces and maps them to labels.
|
||||
# Format:
|
||||
# <namespace> <label>
|
||||
#
|
||||
# <namespace> must be an integer in the interval [0 ... 2^31)
|
||||
|
||||
# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
|
||||
# TODO(b/191843770): sort out a longer term policy
|
||||
140 u:object_r:vm_payload_key:s0
|
||||
|
||||
|
|
@ -13,8 +13,6 @@ allow logd init:file { getattr open read };
|
|||
allow logd kernel:dir search;
|
||||
allow logd kernel:file { getattr open read };
|
||||
allow logd kernel:system { syslog_mod syslog_read };
|
||||
allow logd keystore:dir search;
|
||||
allow logd keystore:file { getattr open read };
|
||||
allow logd linkerconfig_file:dir search;
|
||||
allow logd microdroid_manager:dir search;
|
||||
allow logd microdroid_manager:file { getattr open read };
|
||||
|
|
|
|||
|
|
@ -9,17 +9,5 @@
|
|||
type microdroid_app, domain, coredomain, microdroid_payload;
|
||||
type microdroid_app_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# Talk to binder services (for keystore)
|
||||
# Talk to binder services (for diced)
|
||||
binder_use(microdroid_app);
|
||||
|
||||
# Allow payloads to use keystore
|
||||
use_keystore(microdroid_app);
|
||||
|
||||
# Allow payloads to use and manage their keys
|
||||
allow microdroid_app vm_payload_key:keystore2_key {
|
||||
delete
|
||||
get_info
|
||||
manage_blob
|
||||
rebind
|
||||
use
|
||||
};
|
||||
|
|
|
|||
|
|
@ -52,7 +52,6 @@ ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
|
|||
ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
|
||||
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
|
||||
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
|
||||
ro.boottime.keystore2 u:object_r:boottime_prop:s0 exact int
|
||||
ro.boottime.logd u:object_r:boottime_prop:s0 exact int
|
||||
ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
|
||||
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
|
||||
|
|
@ -80,7 +79,6 @@ init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact
|
|||
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
|
||||
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
|
||||
init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
|
||||
init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
|
||||
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
|
||||
init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
|
||||
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
|
||||
|
|
@ -128,10 +126,6 @@ ro.adb.secure u:object_r:build_prop:s0 exact bool
|
|||
|
||||
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
|
||||
|
||||
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
|
||||
|
||||
keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
|
||||
|
||||
apex_config.done u:object_r:apex_config_prop:s0 exact bool
|
||||
|
||||
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
|
||||
|
|
|
|||
|
|
@ -154,15 +154,6 @@ class service_manager # userspace
|
|||
# hardware service manager # userspace
|
||||
class hwservice_manager
|
||||
|
||||
# Legacy Keystore key permissions
|
||||
class keystore_key # userspace
|
||||
|
||||
# Keystore 2.0 permissions
|
||||
class keystore2 # userspace
|
||||
|
||||
# Keystore 2.0 key permissions
|
||||
class keystore2_key # userspace
|
||||
|
||||
# Diced permissions
|
||||
class diced # userspace
|
||||
|
||||
|
|
|
|||
|
|
@ -3,20 +3,10 @@ android.hardware.security.keymint.IKeyMintDevice/default u:object_r:
|
|||
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
|
||||
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
|
||||
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
|
||||
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
|
||||
|
||||
adb u:object_r:adb_service:s0
|
||||
android.security.apc u:object_r:apc_service:s0
|
||||
android.security.authorization u:object_r:authorization_service:s0
|
||||
android.security.compat u:object_r:keystore_compat_hal_service:s0
|
||||
android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
|
||||
android.security.dice.IDiceNode u:object_r:dice_node_service:s0
|
||||
android.security.identity u:object_r:credstore_service:s0
|
||||
android.security.keystore u:object_r:keystore_service:s0
|
||||
android.security.legacykeystore u:object_r:legacykeystore_service:s0
|
||||
android.security.maintenance u:object_r:keystore_maintenance_service:s0
|
||||
android.security.metrics u:object_r:keystore_metrics_service:s0
|
||||
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
|
||||
apexservice u:object_r:apex_service:s0
|
||||
authfs_service u:object_r:authfs_binder_service:s0
|
||||
manager u:object_r:service_manager_service:s0
|
||||
|
|
|
|||
|
|
@ -6,7 +6,4 @@ userdebug_or_eng(`
|
|||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
||||
# Do not audit accesses to keystore2 namespace for the su domain.
|
||||
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
|
||||
|
||||
')
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@ type system_linker_exec, file_type, system_file_type;
|
|||
|
||||
# file types
|
||||
type adbd_socket, file_type, coredomain_socket;
|
||||
type apc_service, service_manager_type;
|
||||
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
||||
type apex_info_file, file_type;
|
||||
type apex_mnt_dir, file_type;
|
||||
|
|
@ -13,8 +12,6 @@ type cgroup_rc_file, file_type;
|
|||
type extra_apk_file, file_type;
|
||||
type file_contexts_file, file_type, system_file_type;
|
||||
type hwservice_contexts_file, file_type, system_file_type;
|
||||
type keystore2_key_contexts_file, file_type, system_file_type;
|
||||
type keystore_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type linkerconfig_file, file_type;
|
||||
type logd_socket, file_type, mlstrustedobject, coredomain_socket;
|
||||
type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
type keystore, domain;
|
||||
type keystore_exec, file_type, exec_type, system_file_type;
|
||||
|
||||
# keystore daemon
|
||||
typeattribute keystore mlstrustedsubject;
|
||||
binder_use(keystore)
|
||||
binder_service(keystore)
|
||||
|
||||
allow keystore keystore_data_file:dir create_dir_perms;
|
||||
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
||||
allow keystore keystore_exec:file { getattr };
|
||||
|
||||
add_service(keystore, keystore_service)
|
||||
add_service(keystore, remoteprovisioning_service)
|
||||
add_service(keystore, apc_service)
|
||||
add_service(keystore, keystore_compat_hal_service)
|
||||
add_service(keystore, authorization_service)
|
||||
add_service(keystore, keystore_maintenance_service)
|
||||
add_service(keystore, keystore_metrics_service)
|
||||
add_service(keystore, legacykeystore_service)
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(keystore)
|
||||
|
||||
r_dir_file(keystore, cgroup)
|
||||
r_dir_file(keystore, cgroup_v2)
|
||||
|
|
@ -34,8 +34,6 @@ type init_perf_lsm_hooks_prop, property_type;
|
|||
type init_service_status_private_prop, property_type;
|
||||
type init_service_status_prop, property_type;
|
||||
type init_svc_debug_prop, property_type;
|
||||
type keystore_crash_prop, property_type;
|
||||
type keystore_listen_prop, property_type;
|
||||
type libc_debug_prop, property_type;
|
||||
type log_tag_prop, property_type;
|
||||
type logd_prop, property_type;
|
||||
|
|
|
|||
|
|
@ -15,10 +15,6 @@ allow statsd shell_exec:file rx_file_perms;
|
|||
allow statsd system_file:file execute_no_trans;
|
||||
allow statsd toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Allow statsd to interact with keystore to pull atoms
|
||||
allow statsd keystore_service:service_manager find;
|
||||
binder_call(statsd, keystore)
|
||||
|
||||
# Allow logd access.
|
||||
read_logd(statsd)
|
||||
control_logd(statsd)
|
||||
|
|
|
|||
|
|
@ -42,8 +42,6 @@ userdebug_or_eng(`
|
|||
dontaudit su hwservice_manager_type:hwservice_manager *;
|
||||
dontaudit su servicemanager:service_manager list;
|
||||
dontaudit su hwservicemanager:hwservice_manager list;
|
||||
dontaudit su keystore:keystore_key *;
|
||||
dontaudit su keystore:keystore2 *;
|
||||
dontaudit su domain:drmservice *;
|
||||
dontaudit su unlabeled:filesystem *;
|
||||
dontaudit su domain:bpf *;
|
||||
|
|
|
|||
|
|
@ -2,8 +2,6 @@
|
|||
type adb_service, system_server_service, system_api_service, service_manager_type;
|
||||
type apex_service, service_manager_type;
|
||||
type authfs_binder_service, service_manager_type;
|
||||
type authorization_service, service_manager_type;
|
||||
type credstore_service, app_api_service, service_manager_type;
|
||||
type default_android_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type default_android_service, service_manager_type;
|
||||
type dice_maintenance_service, service_manager_type;
|
||||
|
|
@ -17,11 +15,6 @@ type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
|
|||
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type keystore_compat_hal_service, service_manager_type;
|
||||
type keystore_maintenance_service, service_manager_type;
|
||||
type keystore_metrics_service, service_manager_type;
|
||||
type keystore_service, service_manager_type;
|
||||
type legacykeystore_service, service_manager_type;
|
||||
type remoteprovisioning_service, service_manager_type;
|
||||
type service_manager_service, service_manager_type;
|
||||
type system_linker;
|
||||
|
|
|
|||
1
microdroid/vendor/hal_keymint_default.te
vendored
1
microdroid/vendor/hal_keymint_default.te
vendored
|
|
@ -4,7 +4,6 @@ hal_server_domain(hal_keymint_default, hal_keymint)
|
|||
type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_keymint_default)
|
||||
|
||||
allow hal_keymint_default keystore:binder transfer;
|
||||
allow hal_keymint_default system_lib_file:file execute;
|
||||
|
||||
allow logd hal_keymint_default:dir search;
|
||||
|
|
|
|||
Loading…
Reference in a new issue