Merge changes I74797b13,I5d0b06e3 am: 1b0415fcb0

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1887529

Change-Id: I9c124a4962a49bc2da6018fc0a0dde6bc74932b2
This commit is contained in:
Treehugger Robot 2021-11-18 00:12:08 +00:00 committed by Automerger Merge Worker
commit e58de1b17a
14 changed files with 56 additions and 0 deletions

View file

@ -750,6 +750,16 @@ class keystore2_key
use_dev_id
}
class diced
{
demote
demote_self
derive
get_attestation_chain
use_seal
use_sign
}
class drmservice {
consumeRights
setPlaybackStatus

View file

@ -10,9 +10,14 @@
attestation_verification_service
camera2_extensions_prop
device_config_nnapi_native_prop
dice_maintenance_service
dice_node_service
diced
diced_exec
extra_free_kbytes
extra_free_kbytes_exec
hal_contexthub_service
hal_dice_service
hal_graphics_composer_service
hal_health_service
hal_radio_config_service

View file

@ -8,6 +8,7 @@ allow crash_dump {
-apexd
-bpfloader
-crash_dump
-diced
-init
-kernel
-keystore
@ -40,6 +41,7 @@ neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
bpfloader
diced
init
kernel
keystore

6
private/diced.te Normal file
View file

@ -0,0 +1,6 @@
typeattribute diced coredomain;
init_daemon_domain(diced)
# Talk to dice HAL.
hal_client_domain(diced, hal_dice)

View file

@ -270,6 +270,7 @@
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/diced u:object_r:diced_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0

View file

@ -23,6 +23,7 @@ userdebug_or_eng(`
allow llkd {
domain
-apexd
-diced
-kernel
-keystore
-init

View file

@ -163,5 +163,8 @@ class keystore2 # userspace
# Keystore 2.0 key permissions
class keystore2_key # userspace
# Diced permissions
class diced # userspace
class drmservice # userspace
# FLASK

View file

@ -34,6 +34,7 @@ android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
@ -65,6 +66,8 @@ android.os.UpdateEngineStableService u:object_r:update_engine_stable_servic
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0

View file

@ -333,6 +333,7 @@ hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);

11
public/diced.te Normal file
View file

@ -0,0 +1,11 @@
type diced, domain;
type diced_exec, system_file_type, exec_type, file_type;
binder_use(diced)
binder_service(diced)
add_service(diced, dice_node_service)
add_service(diced, dice_maintenance_service)
# Check SELinux permissions.
selinux_check_access(diced)

4
public/hal_dice.te Normal file
View file

@ -0,0 +1,4 @@
binder_call(hal_dice_client, hal_dice_server)
hal_attribute_service(hal_dice, hal_dice_service)
binder_call(hal_dice_server, servicemanager)

View file

@ -8,6 +8,8 @@ type batteryproperties_service, app_api_service, ephemeral_app_api_service, serv
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@ -259,6 +261,7 @@ type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;

View file

@ -75,6 +75,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0

5
vendor/hal_dice_default.te vendored Normal file
View file

@ -0,0 +1,5 @@
type hal_dice_default, domain;
hal_server_domain(hal_dice_default, hal_dice)
type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dice_default)