Add SELinux policies for remote_key_provisioning_native namespace.

We need to separate out the feature flags in use by remote key
provisioning daemon (RKPD). For this, I have set up a new namespace
remote_key_provisioning_native. This change adds the SELinux policies to
make sure appropriate permissions are present when accessing the feature
flag for read/write.

Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7
Test: TreeHugger

private/flags_health_check.te

@@ -27,6 +27,7 @@ set_prop(flags_health_check, device_config_vendor_system_native_prop)
 set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
 set_prop(flags_health_check, device_config_memory_safety_native_prop)
+set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a

private/keystore.te

@@ -20,6 +20,9 @@ get_prop(keystore, device_logging_prop)
 # Allow keystore to check if the system is rkp only.
 get_prop(keystore, remote_prov_prop)
 
+# Allow keystore to check rkpd feature flags
+get_prop(keystore, device_config_remote_key_provisioning_native_prop)
+
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)
 

private/property.te

@@ -5,6 +5,7 @@ system_internal_prop(ctl_snapuserd_prop)
 system_internal_prop(device_config_lmkd_native_prop)
 system_internal_prop(device_config_mglru_native_prop)
 system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_remote_key_provisioning_native_prop)
 system_internal_prop(device_config_statsd_native_prop)
 system_internal_prop(device_config_statsd_native_boot_prop)
 system_internal_prop(device_config_storage_native_boot_prop)

private/property_contexts

@@ -255,6 +255,7 @@ persist.device_config.media_native.                 u:object_r:device_config_med
 persist.device_config.netd_native.                  u:object_r:device_config_netd_native_prop:s0
 persist.device_config.nnapi_native.                 u:object_r:device_config_nnapi_native_prop:s0
 persist.device_config.profcollect_native_boot.      u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.remote_key_provisioning_native.  u:object_r:device_config_remote_key_provisioning_native_prop:s0
 persist.device_config.runtime_native.               u:object_r:device_config_runtime_native_prop:s0
 persist.device_config.runtime_native_boot.          u:object_r:device_config_runtime_native_boot_prop:s0
 persist.device_config.statsd_native.                u:object_r:device_config_statsd_native_prop:s0

private/rkpd.te

@@ -12,4 +12,4 @@ init_daemon_domain(rkpd)
 add_service(rkpd, rkpd_registrar_service)
 add_service(rkpd, rkpd_refresh_service)
 
-
+get_prop(rkpd, device_config_remote_key_provisioning_native_prop)

private/system_server.te

@@ -755,6 +755,7 @@ set_prop(system_server, device_config_vendor_system_native_prop)
 set_prop(system_server, device_config_vendor_system_native_boot_prop)
 set_prop(system_server, device_config_virtualization_framework_native_prop)
 set_prop(system_server, device_config_memory_safety_native_prop)
+set_prop(system_server, device_config_remote_key_provisioning_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)
 
 # Allow query ART device config properties
@@ -1288,6 +1289,7 @@ neverallow {
   device_config_runtime_native_prop
   device_config_media_native_prop
   device_config_mglru_native_prop
+  device_config_remote_key_provisioning_native_prop
   device_config_storage_native_boot_prop
   device_config_surface_flinger_native_boot_prop
   device_config_sys_traced_prop