Merge "Remove RemoteProvisioner and remoteprovisioning services" am: 0099ba37f3
am: 45734ff4a7
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2488295 Change-Id: Iffabeb7cb8cdc23b53dc6cf42743e1da44c20554 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
ddc3df3035
9 changed files with 2 additions and 33 deletions
|
@ -164,8 +164,6 @@ var (
|
|||
"android.security.legacykeystore": EXCEPTION_NO_FUZZER,
|
||||
"android.security.maintenance": EXCEPTION_NO_FUZZER,
|
||||
"android.security.metrics": EXCEPTION_NO_FUZZER,
|
||||
"android.security.remoteprovisioning": EXCEPTION_NO_FUZZER,
|
||||
"android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": EXCEPTION_NO_FUZZER,
|
||||
"android.service.gatekeeper.IGateKeeperService": EXCEPTION_NO_FUZZER,
|
||||
"android.system.composd": EXCEPTION_NO_FUZZER,
|
||||
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
|
||||
|
|
|
@ -16,6 +16,8 @@
|
|||
(type iorapd_service)
|
||||
(type iorapd_tmpfs)
|
||||
(type lowpan_service)
|
||||
(type remotelyprovisionedkeypool_service)
|
||||
(type remoteprovisioning_service)
|
||||
(type timezone_service)
|
||||
(type tzdatacheck)
|
||||
(type tzdatacheck_exec)
|
||||
|
|
|
@ -8,10 +8,6 @@ hal_client_domain(credstore, hal_identity)
|
|||
# talk to keymint, specifically for IRemotelyProvisionedComponent/default
|
||||
hal_client_domain(credstore, hal_keymint)
|
||||
|
||||
# credstore needs to get keys from the remotely provisioned pool
|
||||
allow credstore remotelyprovisionedkeypool_service:service_manager find;
|
||||
allow credstore keystore:keystore2 get_attestation_key;
|
||||
|
||||
# credstore needs to get keys from the RKPD
|
||||
get_prop(credstore, remote_prov_prop)
|
||||
allow credstore remote_provisioning_service:service_manager find;
|
||||
|
|
|
@ -628,10 +628,8 @@ neverallow {
|
|||
neverallow domain system_and_vendor_property_type:{file property_service} *;
|
||||
|
||||
neverallow {
|
||||
# Only init and the remote provisioner can set the remote_provisioning props
|
||||
domain
|
||||
-init
|
||||
-remote_prov_app
|
||||
-shell
|
||||
-rkpdapp
|
||||
} remote_prov_prop:property_service set;
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
type remote_prov_app, domain;
|
||||
typeattribute remote_prov_app coredomain;
|
||||
|
||||
app_domain(remote_prov_app)
|
||||
net_domain(remote_prov_app)
|
||||
|
||||
set_prop(remote_prov_app, remote_prov_prop)
|
||||
# The app needs access to properly build a DeviceInfo package for the verifying server
|
||||
get_prop(remote_prov_app, vendor_security_patch_level_prop)
|
||||
|
||||
# if rkpd is enabled, remote provisioner is a noop
|
||||
get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
|
||||
|
||||
allow remote_prov_app {
|
||||
app_api_service
|
||||
mediametrics_service
|
||||
remoteprovisioning_service
|
||||
}:service_manager find;
|
|
@ -152,7 +152,6 @@ isSystemServer=true domain=system_server_startup
|
|||
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
|
||||
|
||||
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
||||
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
|
||||
user=system seinfo=platform domain=system_app type=system_app_data_file
|
||||
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
|
||||
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
|
||||
|
|
|
@ -140,8 +140,6 @@ android.security.keystore u:object_r:keystore_service:s0
|
|||
android.security.legacykeystore u:object_r:legacykeystore_service:s0
|
||||
android.security.maintenance u:object_r:keystore_maintenance_service:s0
|
||||
android.security.metrics u:object_r:keystore_metrics_service:s0
|
||||
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
|
||||
android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
|
||||
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
|
||||
android.system.composd u:object_r:compos_service:s0
|
||||
android.system.virtualizationservice u:object_r:virtualization_service:s0
|
||||
|
|
|
@ -14,8 +14,6 @@ allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
|||
allow keystore keystore_exec:file { getattr };
|
||||
|
||||
add_service(keystore, keystore_service)
|
||||
add_service(keystore, remotelyprovisionedkeypool_service)
|
||||
add_service(keystore, remoteprovisioning_service)
|
||||
allow keystore sec_key_att_app_id_provider_service:service_manager find;
|
||||
allow keystore dropbox_service:service_manager find;
|
||||
allow keystore remote_provisioning_service:service_manager find;
|
||||
|
|
|
@ -38,8 +38,6 @@ type netd_service, service_manager_type;
|
|||
type nfc_service, service_manager_type;
|
||||
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
|
||||
type radio_service, service_manager_type;
|
||||
type remotelyprovisionedkeypool_service, service_manager_type;
|
||||
type remoteprovisioning_service, service_manager_type;
|
||||
type secure_element_service, service_manager_type;
|
||||
type service_manager_service, service_manager_type;
|
||||
type storaged_service, service_manager_type;
|
||||
|
|
Loading…
Reference in a new issue