From 23f0f3b28a245fddddc111939d08e56e45d1899e Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Wed, 23 Dec 2020 21:53:08 -0800
Subject: [PATCH] SEPolicy for RemoteProvisioning App

This change adds the SEPolicy changes required to support the remote
provisioning flow. The notable additions are specifically labeling the
remote provisioning app and giving it access to find the remote
provisioning service which is added in keystore. It also requires
network access in order to communicate to the provisioning servers.

This functionality is extremely narrow to the point that it seems worth
it to define a separate domain for this app, rather than add this in to
the priv_app or platform_app permission files. Since this app also
communicates with the network, it also seems advantageous to limit its
permissions only to what is absolutely necessary to perform its
function.

Test: No denials!
Change-Id: I602c12365a575d914afc91f55e6a9b6aa2e14189
---
 private/compat/30.0/30.0.ignore.cil |  2 ++
 private/remote_prov_app.te          | 10 ++++++++++
 private/seapp_contexts              |  1 +
 private/service_contexts            |  1 +
 public/keystore.te                  |  1 +
 public/service.te                   |  1 +
 6 files changed, 16 insertions(+)
 create mode 100644 private/remote_prov_app.te

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 664833860..fda2d156c 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -75,6 +75,8 @@
     profcollectd_service
     radio_core_data_file
     reboot_readiness_service
+    remote_prov_app
+    remoteprovisioning_service
     resolver_service
     search_ui_service
     shell_test_data_file
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
new file mode 100644
index 000000000..e877981d0
--- /dev/null
+++ b/private/remote_prov_app.te
@@ -0,0 +1,10 @@
+type remote_prov_app, domain;
+typeattribute remote_prov_app coredomain;
+
+app_domain(remote_prov_app)
+net_domain(remote_prov_app)
+
+allow remote_prov_app {
+    activity_service
+    remoteprovisioning_service
+}:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 929f07341..b8e42eaa7 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,6 +143,7 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 isSystemServer=true domain=system_server_startup
 
 user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 3eee0d5bc..ff4317418 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -31,6 +31,7 @@ android.security.authorization            u:object_r:authorization_service:s0
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.keystore2                  u:object_r:keystore_service:s0
 app_binding                               u:object_r:app_binding_service:s0
diff --git a/public/keystore.te b/public/keystore.te
index 8c64090a4..b8c599c85 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@ allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
 
 add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
 add_service(keystore, apc_service)
diff --git a/public/service.te b/public/service.te
index cf223da48..37ca953ae 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@ type mediatranscoding_service,  app_api_service, service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
+type remoteprovisioning_service,   service_manager_type;
 type secure_element_service,    service_manager_type;
 type service_manager_service,   service_manager_type;
 type storaged_service,          service_manager_type;