Merge "Remove RemoteProvisioner and remoteprovisioning services" am: 0099ba37f3 am: 45734ff4a7

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2488295

Change-Id: Iffabeb7cb8cdc23b53dc6cf42743e1da44c20554
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Tri Vo 2023-03-17 18:26:13 +00:00 committed by Automerger Merge Worker
commit ddc3df3035
9 changed files with 2 additions and 33 deletions

View file

@ -164,8 +164,6 @@ var (
"android.security.legacykeystore": EXCEPTION_NO_FUZZER,
"android.security.maintenance": EXCEPTION_NO_FUZZER,
"android.security.metrics": EXCEPTION_NO_FUZZER,
"android.security.remoteprovisioning": EXCEPTION_NO_FUZZER,
"android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": EXCEPTION_NO_FUZZER,
"android.system.composd": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,

View file

@ -16,6 +16,8 @@
(type iorapd_service)
(type iorapd_tmpfs)
(type lowpan_service)
(type remotelyprovisionedkeypool_service)
(type remoteprovisioning_service)
(type timezone_service)
(type tzdatacheck)
(type tzdatacheck_exec)

View file

@ -8,10 +8,6 @@ hal_client_domain(credstore, hal_identity)
# talk to keymint, specifically for IRemotelyProvisionedComponent/default
hal_client_domain(credstore, hal_keymint)
# credstore needs to get keys from the remotely provisioned pool
allow credstore remotelyprovisionedkeypool_service:service_manager find;
allow credstore keystore:keystore2 get_attestation_key;
# credstore needs to get keys from the RKPD
get_prop(credstore, remote_prov_prop)
allow credstore remote_provisioning_service:service_manager find;

View file

@ -628,10 +628,8 @@ neverallow {
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
# Only init and the remote provisioner can set the remote_provisioning props
domain
-init
-remote_prov_app
-shell
-rkpdapp
} remote_prov_prop:property_service set;

View file

@ -1,18 +0,0 @@
type remote_prov_app, domain;
typeattribute remote_prov_app coredomain;
app_domain(remote_prov_app)
net_domain(remote_prov_app)
set_prop(remote_prov_app, remote_prov_prop)
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
# if rkpd is enabled, remote provisioner is a noop
get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
allow remote_prov_app {
app_api_service
mediametrics_service
remoteprovisioning_service
}:service_manager find;

View file

@ -152,7 +152,6 @@ isSystemServer=true domain=system_server_startup
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file

View file

@ -140,8 +140,6 @@ android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0

View file

@ -14,8 +14,6 @@ allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
add_service(keystore, remotelyprovisionedkeypool_service)
add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;

View file

@ -38,8 +38,6 @@ type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
type radio_service, service_manager_type;
type remotelyprovisionedkeypool_service, service_manager_type;
type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;