diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index 29273cf78..f35ce4409 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -114,6 +114,7 @@ var ( "android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER, "android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER, "android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER, + "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": EXCEPTION_NO_FUZZER, "android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER, "android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER, "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER, diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil index 16ec30376..7a4248fbd 100644 --- a/private/compat/34.0/34.0.ignore.cil +++ b/private/compat/34.0/34.0.ignore.cil @@ -9,6 +9,7 @@ dtbo_block_device ota_build_prop snapuserd_log_data_file + hal_authgraph_service hal_codec2_service hal_threadnetwork_service virtual_camera_service diff --git a/private/service_contexts b/private/service_contexts index 758cab6ad..ae30b3f72 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -89,6 +89,7 @@ android.hardware.radio.voice.IRadioVoice/slot1 u:object_r: android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0 android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0 android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0 +android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0 android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0 android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0 diff --git a/private/system_server.te b/private/system_server.te index efdeff45a..0229e6ce2 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -306,6 +306,7 @@ binder_service(system_server) # Use HALs hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_audio) +hal_client_domain(system_server, hal_authgraph) hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_broadcastradio) hal_client_domain(system_server, hal_codec2) diff --git a/public/attributes b/public/attributes index d2b2cc1e3..a5d666ef8 100644 --- a/public/attributes +++ b/public/attributes @@ -331,6 +331,7 @@ hal_attribute(allocator); hal_attribute(atrace); hal_attribute(audio); hal_attribute(audiocontrol); +hal_attribute(authgraph); hal_attribute(authsecret); hal_attribute(bluetooth); hal_attribute(bootctl); diff --git a/public/dumpstate.te b/public/dumpstate.te index c52ca1553..496d95974 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -151,6 +151,7 @@ binder_call(dumpstate, { appdomain artd netd wificond }) # Allow dumpstate to call dump() on specific hals. dump_hal(hal_audio) dump_hal(hal_audiocontrol) +dump_hal(hal_authgraph) dump_hal(hal_authsecret) dump_hal(hal_bluetooth) dump_hal(hal_broadcastradio) diff --git a/public/hal_authgraph.te b/public/hal_authgraph.te new file mode 100644 index 000000000..f053cb08e --- /dev/null +++ b/public/hal_authgraph.te @@ -0,0 +1,7 @@ +binder_call(hal_authgraph_client, hal_authgraph_server) + +hal_attribute_service(hal_authgraph, hal_authgraph_service) +binder_call(hal_authgraph_server, servicemanager) + +allow hal_authgraph_server tee_device:chr_file rw_file_perms; +allow hal_authgraph_server ion_device:chr_file r_file_perms; diff --git a/public/service.te b/public/service.te index 53c9e5f3e..348446949 100644 --- a/public/service.te +++ b/public/service.te @@ -280,6 +280,7 @@ type emergency_affordance_service, system_server_service, service_manager_type; type hal_audio_service, protected_service, hal_service_type, service_manager_type; type hal_audiocontrol_service, hal_service_type, service_manager_type; +type hal_authgraph_service, protected_service, hal_service_type, service_manager_type; type hal_authsecret_service, protected_service, hal_service_type, service_manager_type; type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type; type hal_bootctl_service, protected_service, hal_service_type, service_manager_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index efe0b71b4..5bae6c57e 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -97,6 +97,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0 /(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0 diff --git a/vendor/hal_authgraph_default.te b/vendor/hal_authgraph_default.te new file mode 100644 index 000000000..1676cca3a --- /dev/null +++ b/vendor/hal_authgraph_default.te @@ -0,0 +1,5 @@ +type hal_authgraph_default, domain; +hal_server_domain(hal_authgraph_default, hal_authgraph) + +type hal_authgraph_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_authgraph_default)