From 970cfa5674b1d6c68c7245aabb7ff811537d427d Mon Sep 17 00:00:00 2001 From: Seth Moore Date: Wed, 2 Nov 2022 21:06:57 -0700 Subject: [PATCH] Limit special file permissions to the keymint server domain There are still some paths (potentially obsolete) on non-treble devices where hal_keymint_client domains have the hal_keymint typeattribute applied. In these cases, those domains also pick up the file access permissions currently granted to hal_keymint. Clean this up by limiting the permissions to hal_keymint_server only. Test: VtsAidlKeyMintTargetTest Change-Id: If1a437636824df254da245e7587df825b6963ed9 --- public/hal_keymint.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/hal_keymint.te b/public/hal_keymint.te index 9c65e22df..ba2995628 100644 --- a/public/hal_keymint.te +++ b/public/hal_keymint.te @@ -4,5 +4,5 @@ hal_attribute_service(hal_keymint, hal_keymint_service) hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service) binder_call(hal_keymint_server, servicemanager) -allow hal_keymint tee_device:chr_file rw_file_perms; -allow hal_keymint ion_device:chr_file r_file_perms; +allow hal_keymint_server tee_device:chr_file rw_file_perms; +allow hal_keymint_server ion_device:chr_file r_file_perms;