Add remotely provisioned key pool se policy

Keystore now hosts a native binder for the remotely provisioned key pool, which is used to services such as credstore to lookup remotely provisioned keys. Add a new service context and include it in the keystore services. Add a dependency on this new service for credstore. Also include a credstore dependency on IRemotelyProvisionedComponent, as it's needed to make use of the key pool. Bug: 194696876 Test: CtsIdentityTestCases Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e
2022-02-02 13:36:50 -08:00 · 2022-02-02 13:36:50 -08:00 · a75cad0d0a
commit a75cad0d0a
parent 7e07941d3d
5 changed files with 10 additions and 0 deletions
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -47,6 +47,7 @@
    nearby_service
    proc_watermark_boost_factor
    proc_watermark_scale_factor
+    remotelyprovisionedkeypool_service
    resources_manager_service
    selection_toolbar_service
    snapuserd_proxy_socket
--- a/private/credstore.te
+++ b/private/credstore.te
@ -4,3 +4,9 @@ init_daemon_domain(credstore)

 # talk to Identity Credential
 hal_client_domain(credstore, hal_identity)
+
+# talk to keymint, specifically for IRemotelyProvisionedComponent/default
+hal_client_domain(credstore, hal_keymint)
+
+# credstore needs to get keys from the remotely provisioned pool
+allow credstore remotelyprovisionedkeypool_service:service_manager find;
--- a/private/service_contexts
+++ b/private/service_contexts
@ -86,6 +86,7 @@ android.security.legacykeystore           u:object_r:legacykeystore_service:s0
 android.security.maintenance              u:object_r:keystore_maintenance_service:s0
 android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
+android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.composd                    u:object_r:compos_service:s0
 android.system.virtualizationservice      u:object_r:virtualization_service:s0
--- a/public/keystore.te
+++ b/public/keystore.te
@ -13,6 +13,7 @@ allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

 add_service(keystore, keystore_service)
+add_service(keystore, remotelyprovisionedkeypool_service)
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
--- a/public/service.te
+++ b/public/service.te
@ -37,6 +37,7 @@ type mediatranscoding_service,  app_api_service, service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
+type remotelyprovisionedkeypool_service, service_manager_type;
 type remoteprovisioning_service,   service_manager_type;
 type secure_element_service,    service_manager_type;
 type service_manager_service,   service_manager_type;