Merge changes I74797b13,I5d0b06e3 am: 1b0415fcb0
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1887529 Change-Id: I9c124a4962a49bc2da6018fc0a0dde6bc74932b2
This commit is contained in:
commit
e58de1b17a
14 changed files with 56 additions and 0 deletions
|
@ -750,6 +750,16 @@ class keystore2_key
|
|||
use_dev_id
|
||||
}
|
||||
|
||||
class diced
|
||||
{
|
||||
demote
|
||||
demote_self
|
||||
derive
|
||||
get_attestation_chain
|
||||
use_seal
|
||||
use_sign
|
||||
}
|
||||
|
||||
class drmservice {
|
||||
consumeRights
|
||||
setPlaybackStatus
|
||||
|
|
|
@ -10,9 +10,14 @@
|
|||
attestation_verification_service
|
||||
camera2_extensions_prop
|
||||
device_config_nnapi_native_prop
|
||||
dice_maintenance_service
|
||||
dice_node_service
|
||||
diced
|
||||
diced_exec
|
||||
extra_free_kbytes
|
||||
extra_free_kbytes_exec
|
||||
hal_contexthub_service
|
||||
hal_dice_service
|
||||
hal_graphics_composer_service
|
||||
hal_health_service
|
||||
hal_radio_config_service
|
||||
|
|
|
@ -8,6 +8,7 @@ allow crash_dump {
|
|||
-apexd
|
||||
-bpfloader
|
||||
-crash_dump
|
||||
-diced
|
||||
-init
|
||||
-kernel
|
||||
-keystore
|
||||
|
@ -40,6 +41,7 @@ neverallow crash_dump {
|
|||
apexd
|
||||
userdebug_or_eng(`-apexd')
|
||||
bpfloader
|
||||
diced
|
||||
init
|
||||
kernel
|
||||
keystore
|
||||
|
|
6
private/diced.te
Normal file
6
private/diced.te
Normal file
|
@ -0,0 +1,6 @@
|
|||
typeattribute diced coredomain;
|
||||
|
||||
init_daemon_domain(diced)
|
||||
|
||||
# Talk to dice HAL.
|
||||
hal_client_domain(diced, hal_dice)
|
|
@ -270,6 +270,7 @@
|
|||
/system/bin/credstore u:object_r:credstore_exec:s0
|
||||
/system/bin/keystore u:object_r:keystore_exec:s0
|
||||
/system/bin/keystore2 u:object_r:keystore_exec:s0
|
||||
/system/bin/diced u:object_r:diced_exec:s0
|
||||
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
|
||||
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
|
||||
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
|
||||
|
|
|
@ -23,6 +23,7 @@ userdebug_or_eng(`
|
|||
allow llkd {
|
||||
domain
|
||||
-apexd
|
||||
-diced
|
||||
-kernel
|
||||
-keystore
|
||||
-init
|
||||
|
|
|
@ -163,5 +163,8 @@ class keystore2 # userspace
|
|||
# Keystore 2.0 key permissions
|
||||
class keystore2_key # userspace
|
||||
|
||||
# Diced permissions
|
||||
class diced # userspace
|
||||
|
||||
class drmservice # userspace
|
||||
# FLASK
|
||||
|
|
|
@ -34,6 +34,7 @@ android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:
|
|||
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
|
||||
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
|
||||
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
|
||||
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
|
||||
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
|
||||
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
|
||||
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
|
||||
|
@ -65,6 +66,8 @@ android.os.UpdateEngineStableService u:object_r:update_engine_stable_servic
|
|||
android.security.apc u:object_r:apc_service:s0
|
||||
android.security.authorization u:object_r:authorization_service:s0
|
||||
android.security.compat u:object_r:keystore_compat_hal_service:s0
|
||||
android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
|
||||
android.security.dice.IDiceNode u:object_r:dice_node_service:s0
|
||||
android.security.identity u:object_r:credstore_service:s0
|
||||
android.security.keystore u:object_r:keystore_service:s0
|
||||
android.security.legacykeystore u:object_r:legacykeystore_service:s0
|
||||
|
|
|
@ -333,6 +333,7 @@ hal_attribute(codec2);
|
|||
hal_attribute(configstore);
|
||||
hal_attribute(confirmationui);
|
||||
hal_attribute(contexthub);
|
||||
hal_attribute(dice);
|
||||
hal_attribute(drm);
|
||||
hal_attribute(dumpstate);
|
||||
hal_attribute(evs);
|
||||
|
|
11
public/diced.te
Normal file
11
public/diced.te
Normal file
|
@ -0,0 +1,11 @@
|
|||
type diced, domain;
|
||||
type diced_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
binder_use(diced)
|
||||
binder_service(diced)
|
||||
|
||||
add_service(diced, dice_node_service)
|
||||
add_service(diced, dice_maintenance_service)
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(diced)
|
4
public/hal_dice.te
Normal file
4
public/hal_dice.te
Normal file
|
@ -0,0 +1,4 @@
|
|||
binder_call(hal_dice_client, hal_dice_server)
|
||||
|
||||
hal_attribute_service(hal_dice, hal_dice_service)
|
||||
binder_call(hal_dice_server, servicemanager)
|
|
@ -8,6 +8,8 @@ type batteryproperties_service, app_api_service, ephemeral_app_api_service, serv
|
|||
type bluetooth_service, service_manager_type;
|
||||
type cameraserver_service, service_manager_type;
|
||||
type default_android_service, service_manager_type;
|
||||
type dice_maintenance_service, service_manager_type;
|
||||
type dice_node_service, service_manager_type;
|
||||
type dnsresolver_service, service_manager_type;
|
||||
type drmserver_service, service_manager_type;
|
||||
type dumpstate_service, service_manager_type;
|
||||
|
@ -259,6 +261,7 @@ type hal_audio_service, vendor_service, protected_service, service_manager_type;
|
|||
type hal_audiocontrol_service, vendor_service, service_manager_type;
|
||||
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_dice_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_face_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
|
||||
|
|
1
vendor/file_contexts
vendored
1
vendor/file_contexts
vendored
|
@ -75,6 +75,7 @@
|
|||
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
|
||||
|
|
5
vendor/hal_dice_default.te
vendored
Normal file
5
vendor/hal_dice_default.te
vendored
Normal file
|
@ -0,0 +1,5 @@
|
|||
type hal_dice_default, domain;
|
||||
hal_server_domain(hal_dice_default, hal_dice)
|
||||
|
||||
type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_dice_default)
|
Loading…
Reference in a new issue