Add SELinux policies for remote_key_provisioning_native namespace.
We need to separate out the feature flags in use by remote key provisioning daemon (RKPD). For this, I have set up a new namespace remote_key_provisioning_native. This change adds the SELinux policies to make sure appropriate permissions are present when accessing the feature flag for read/write. Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7 Test: TreeHugger
This commit is contained in:
parent
38292f168a
commit
e1c49f5524
6 changed files with 9 additions and 1 deletions
|
@ -27,6 +27,7 @@ set_prop(flags_health_check, device_config_vendor_system_native_prop)
|
||||||
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
|
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
|
||||||
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
|
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
|
||||||
set_prop(flags_health_check, device_config_memory_safety_native_prop)
|
set_prop(flags_health_check, device_config_memory_safety_native_prop)
|
||||||
|
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
|
||||||
|
|
||||||
# system property device_config_boot_count_prop is used for deciding when to perform server
|
# system property device_config_boot_count_prop is used for deciding when to perform server
|
||||||
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
|
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
|
||||||
|
|
|
@ -20,6 +20,9 @@ get_prop(keystore, device_logging_prop)
|
||||||
# Allow keystore to check if the system is rkp only.
|
# Allow keystore to check if the system is rkp only.
|
||||||
get_prop(keystore, remote_prov_prop)
|
get_prop(keystore, remote_prov_prop)
|
||||||
|
|
||||||
|
# Allow keystore to check rkpd feature flags
|
||||||
|
get_prop(keystore, device_config_remote_key_provisioning_native_prop)
|
||||||
|
|
||||||
# Allow keystore to write to statsd.
|
# Allow keystore to write to statsd.
|
||||||
unix_socket_send(keystore, statsdw, statsd)
|
unix_socket_send(keystore, statsdw, statsd)
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,7 @@ system_internal_prop(ctl_snapuserd_prop)
|
||||||
system_internal_prop(device_config_lmkd_native_prop)
|
system_internal_prop(device_config_lmkd_native_prop)
|
||||||
system_internal_prop(device_config_mglru_native_prop)
|
system_internal_prop(device_config_mglru_native_prop)
|
||||||
system_internal_prop(device_config_profcollect_native_boot_prop)
|
system_internal_prop(device_config_profcollect_native_boot_prop)
|
||||||
|
system_internal_prop(device_config_remote_key_provisioning_native_prop)
|
||||||
system_internal_prop(device_config_statsd_native_prop)
|
system_internal_prop(device_config_statsd_native_prop)
|
||||||
system_internal_prop(device_config_statsd_native_boot_prop)
|
system_internal_prop(device_config_statsd_native_boot_prop)
|
||||||
system_internal_prop(device_config_storage_native_boot_prop)
|
system_internal_prop(device_config_storage_native_boot_prop)
|
||||||
|
|
|
@ -255,6 +255,7 @@ persist.device_config.media_native. u:object_r:device_config_med
|
||||||
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
|
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
|
||||||
persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
|
persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
|
||||||
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
|
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
|
||||||
|
persist.device_config.remote_key_provisioning_native. u:object_r:device_config_remote_key_provisioning_native_prop:s0
|
||||||
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
|
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
|
||||||
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
|
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
|
||||||
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
|
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
|
||||||
|
|
|
@ -12,4 +12,4 @@ init_daemon_domain(rkpd)
|
||||||
add_service(rkpd, rkpd_registrar_service)
|
add_service(rkpd, rkpd_registrar_service)
|
||||||
add_service(rkpd, rkpd_refresh_service)
|
add_service(rkpd, rkpd_refresh_service)
|
||||||
|
|
||||||
|
get_prop(rkpd, device_config_remote_key_provisioning_native_prop)
|
||||||
|
|
|
@ -755,6 +755,7 @@ set_prop(system_server, device_config_vendor_system_native_prop)
|
||||||
set_prop(system_server, device_config_vendor_system_native_boot_prop)
|
set_prop(system_server, device_config_vendor_system_native_boot_prop)
|
||||||
set_prop(system_server, device_config_virtualization_framework_native_prop)
|
set_prop(system_server, device_config_virtualization_framework_native_prop)
|
||||||
set_prop(system_server, device_config_memory_safety_native_prop)
|
set_prop(system_server, device_config_memory_safety_native_prop)
|
||||||
|
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
|
||||||
set_prop(system_server, smart_idle_maint_enabled_prop)
|
set_prop(system_server, smart_idle_maint_enabled_prop)
|
||||||
|
|
||||||
# Allow query ART device config properties
|
# Allow query ART device config properties
|
||||||
|
@ -1288,6 +1289,7 @@ neverallow {
|
||||||
device_config_runtime_native_prop
|
device_config_runtime_native_prop
|
||||||
device_config_media_native_prop
|
device_config_media_native_prop
|
||||||
device_config_mglru_native_prop
|
device_config_mglru_native_prop
|
||||||
|
device_config_remote_key_provisioning_native_prop
|
||||||
device_config_storage_native_boot_prop
|
device_config_storage_native_boot_prop
|
||||||
device_config_surface_flinger_native_boot_prop
|
device_config_surface_flinger_native_boot_prop
|
||||||
device_config_sys_traced_prop
|
device_config_sys_traced_prop
|
||||||
|
|
Loading…
Reference in a new issue