tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add sepolicy for non-secure AuthGraph impl

Browse source 
Bug: 284470121
Bug: 291228560
Test: hal_implementation_test
Test: VtsAidlAuthGraphSessionTest
Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d
This commit is contained in:
David Drysdale 2023-10-09 15:05:07 +01:00 committed by Hasini Gunasinghe
parent 012b954125
commit c4ab01baad
10 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
build/soong/service_fuzzer_bindings.go
View file

@ -114,6 +114,7 @@ var (
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER, "android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER, "android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER, "android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
"android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER, "android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER, "android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER, "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,

1
private/compat/34.0/34.0.ignore.cil
View file

@ -9,6 +9,7 @@
dtbo_block_device dtbo_block_device
ota_build_prop ota_build_prop
snapuserd_log_data_file snapuserd_log_data_file
hal_authgraph_service
hal_codec2_service hal_codec2_service
hal_threadnetwork_service hal_threadnetwork_service
virtual_camera_service virtual_camera_service

1
private/service_contexts
View file

@ -89,6 +89,7 @@ android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0 android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0 android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0 android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0 android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0 android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0

1
private/system_server.te
View file

@ -306,6 +306,7 @@ binder_service(system_server)
# Use HALs # Use HALs
hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_audio) hal_client_domain(system_server, hal_audio)
hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio) hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2) hal_client_domain(system_server, hal_codec2)

1
public/attributes
View file

@ -331,6 +331,7 @@ hal_attribute(allocator);
hal_attribute(atrace); hal_attribute(atrace);
hal_attribute(audio); hal_attribute(audio);
hal_attribute(audiocontrol); hal_attribute(audiocontrol);
hal_attribute(authgraph);
hal_attribute(authsecret); hal_attribute(authsecret);
hal_attribute(bluetooth); hal_attribute(bluetooth);
hal_attribute(bootctl); hal_attribute(bootctl);

1
public/dumpstate.te
View file

@ -151,6 +151,7 @@ binder_call(dumpstate, { appdomain artd netd wificond })
# Allow dumpstate to call dump() on specific hals. # Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio) dump_hal(hal_audio)
dump_hal(hal_audiocontrol) dump_hal(hal_audiocontrol)
dump_hal(hal_authgraph)
dump_hal(hal_authsecret) dump_hal(hal_authsecret)
dump_hal(hal_bluetooth) dump_hal(hal_bluetooth)
dump_hal(hal_broadcastradio) dump_hal(hal_broadcastradio)

7
public/hal_authgraph.te Normal file
View file

@ -0,0 +1,7 @@
binder_call(hal_authgraph_client, hal_authgraph_server)
hal_attribute_service(hal_authgraph, hal_authgraph_service)
binder_call(hal_authgraph_server, servicemanager)
allow hal_authgraph_server tee_device:chr_file rw_file_perms;
allow hal_authgraph_server ion_device:chr_file r_file_perms;

1
public/service.te
View file

@ -279,6 +279,7 @@ type emergency_affordance_service, system_server_service, service_manager_type;
type hal_audio_service, protected_service, hal_service_type, service_manager_type; type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type; type hal_audiocontrol_service, hal_service_type, service_manager_type;
type hal_authgraph_service, protected_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type; type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type; type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type; type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;

1
vendor/file_contexts vendored
View file

@ -97,6 +97,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0

5
vendor/hal_authgraph_default.te vendored Normal file
View file

@ -0,0 +1,5 @@
type hal_authgraph_default, domain;
hal_server_domain(hal_authgraph_default, hal_authgraph)
type hal_authgraph_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_authgraph_default)