Merge "Revert^2 "[avf][rkp] Allow virtualizationservice to register RKP HAL"" into main am: dd034824b1
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2812455 Change-Id: Ided47a6c565f8153868e717f14a70a5650cc5ff2 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Alice Wang
Automerger Merge Worker
commit
9f1f416b17
7 changed files with 13 additions and 0 deletions
|
|
@ -176,6 +176,7 @@ var (
|
||||||
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
|
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
|
||||||
"android.system.composd": EXCEPTION_NO_FUZZER,
|
"android.system.composd": EXCEPTION_NO_FUZZER,
|
||||||
// TODO(b/294158658): add fuzzer
|
// TODO(b/294158658): add fuzzer
|
||||||
|
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
|
||||||
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
|
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
|
||||||
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
|
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
|
||||||
"ambient_context": EXCEPTION_NO_FUZZER,
|
"ambient_context": EXCEPTION_NO_FUZZER,
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@
|
||||||
(typeattributeset new_objects
|
(typeattributeset new_objects
|
||||||
( new_objects
|
( new_objects
|
||||||
archive_service
|
archive_service
|
||||||
|
avf_remotelyprovisionedcomponent_service
|
||||||
dtbo_block_device
|
dtbo_block_device
|
||||||
ota_build_prop
|
ota_build_prop
|
||||||
snapuserd_log_data_file
|
snapuserd_log_data_file
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,10 @@ net_domain(rkpdapp)
|
||||||
# RKPD needs to be able to call the remote provisioning HALs
|
# RKPD needs to be able to call the remote provisioning HALs
|
||||||
hal_client_domain(rkpdapp, hal_keymint)
|
hal_client_domain(rkpdapp, hal_keymint)
|
||||||
|
|
||||||
|
# Grant access to AVF IRPC service
|
||||||
|
allow rkpdapp avf_remotelyprovisionedcomponent_service:service_manager find;
|
||||||
|
binder_call(rkpdapp, virtualizationservice)
|
||||||
|
|
||||||
# Grant access to certain system properties related to RKP
|
# Grant access to certain system properties related to RKP
|
||||||
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
|
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
|
||||||
set_prop(rkpdapp, remote_prov_prop)
|
set_prop(rkpdapp, remote_prov_prop)
|
||||||
|
|
|
||||||
|
|
@ -93,6 +93,7 @@ android.hardware.rebootescrow.IRebootEscrow/default u:object_r:
|
||||||
android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
|
android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
|
||||||
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
|
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
|
||||||
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
|
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
|
||||||
|
android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:avf_remotelyprovisionedcomponent_service:s0
|
||||||
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
|
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
|
||||||
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
|
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
|
||||||
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
|
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
|
||||||
|
|
|
||||||
|
|
@ -351,6 +351,8 @@ hal_client_domain(system_server, hal_wifi_supplicant)
|
||||||
# permission for recovery in order not to give system server the access to
|
# permission for recovery in order not to give system server the access to
|
||||||
# the low level block devices.
|
# the low level block devices.
|
||||||
not_recovery(`hal_client_domain(system_server, hal_bootctl)')
|
not_recovery(`hal_client_domain(system_server, hal_bootctl)')
|
||||||
|
allow system_server avf_remotelyprovisionedcomponent_service:service_manager find;
|
||||||
|
binder_call(system_server, virtualizationservice)
|
||||||
|
|
||||||
# Talk with graphics composer fences
|
# Talk with graphics composer fences
|
||||||
allow system_server hal_graphics_composer:fd use;
|
allow system_server hal_graphics_composer:fd use;
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,9 @@ binder_use(virtualizationservice)
|
||||||
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
|
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
|
||||||
add_service(virtualizationservice, virtualization_service)
|
add_service(virtualizationservice, virtualization_service)
|
||||||
|
|
||||||
|
# Allow registering as a remotely provisioned component for pVM remote attestation.
|
||||||
|
add_service(virtualizationservice, avf_remotelyprovisionedcomponent_service)
|
||||||
|
|
||||||
# Let virtualizationservice find and communicate with vfio_handler.
|
# Let virtualizationservice find and communicate with vfio_handler.
|
||||||
allow virtualizationservice vfio_handler_service:service_manager find;
|
allow virtualizationservice vfio_handler_service:service_manager find;
|
||||||
binder_call(virtualizationservice, vfio_handler)
|
binder_call(virtualizationservice, vfio_handler)
|
||||||
|
|
|
||||||
|
|
@ -319,6 +319,7 @@ type hal_power_stats_service, protected_service, hal_service_type, service_manag
|
||||||
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
|
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
|
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
|
type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
|
||||||
|
type avf_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
|
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
|
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
|
||||||
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
|
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue