Add SELinux policy changes for rkpd

This is a part of changes to bring up Remote Key Provisioning Daemon module. See packages/modules/RemoteKeyProvisioning for more info. Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616 Test: atest rkpd_client_test
2022-08-31 00:08:16 +00:00 · 2022-08-31 00:08:16 +00:00 · d25c80a951
commit d25c80a951
parent 5043c02262
6 changed files with 30 additions and 0 deletions
--- a/apex/Android.bp
+++ b/apex/Android.bp
@ -272,3 +272,10 @@ filegroup {
    "com.android.healthconnect-file_contexts",
  ],
 }
+
+filegroup {
+  name: "com.android.rkpd-file_contexts",
+  srcs: [
+    "com.android.rkpd-file_contexts",
+  ],
+}
--- a/apex/com.android.rkpd-file_contexts
+++ b/apex/com.android.rkpd-file_contexts
@ -0,0 +1,2 @@
+(/.*)?              u:object_r:system_file:s0
+/bin/rkpd           u:object_r:rkpd_exec:s0
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -313,6 +313,8 @@ var (
 		"resolver":                     []string{},
 		"resources":                    []string{},
 		"restrictions":                 []string{},
+		"rkpd.registrar":               []string{},
+		"rkpd.refresh":                 []string{},
 		"role":                         []string{},
 		"rollback":                     []string{},
 		"rttmanager":                   []string{},
--- a/private/rkpd.te
+++ b/private/rkpd.te
@ -0,0 +1,15 @@
+# Policies for Remote Key Provisioning Daemon (rkpd)
+type rkpd, domain;
+type rkpd_exec, system_file_type, exec_type, file_type;
+
+typeattribute rkpd coredomain;
+
+binder_use(rkpd)
+binder_service(rkpd)
+
+init_daemon_domain(rkpd)
+
+add_service(rkpd, rkpd_registrar_service)
+add_service(rkpd, rkpd_refresh_service)
+
+
--- a/private/service.te
+++ b/private/service.te
@ -10,6 +10,8 @@ type logd_service,                  service_manager_type;
 type mediatuner_service,            app_api_service, service_manager_type;
 type profcollectd_service,          service_manager_type;
 type resolver_service,              system_server_service, service_manager_type;
+type rkpd_registrar_service,        service_manager_type;
+type rkpd_refresh_service,          service_manager_type;
 type safety_center_service,         app_api_service, system_api_service, system_server_service, service_manager_type;
 type stats_service,                 service_manager_type;
 type statsbootstrap_service,        system_server_service, service_manager_type;
--- a/private/service_contexts
+++ b/private/service_contexts
@ -298,6 +298,8 @@ recovery                                  u:object_r:recovery_service:s0
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0
+rkpd.registrar                            u:object_r:rkpd_registrar_service:s0
+rkpd.refresh                              u:object_r:rkpd_refresh_service:s0
 role                                      u:object_r:role_service:s0
 rollback                                  u:object_r:rollback_service:s0
 rttmanager                                u:object_r:rttmanager_service:s0