From d25c80a9511f842079be015c49eaa7358f24cd8c Mon Sep 17 00:00:00 2001 From: Vikram Gaur Date: Wed, 31 Aug 2022 00:08:16 +0000 Subject: [PATCH] Add SELinux policy changes for rkpd This is a part of changes to bring up Remote Key Provisioning Daemon module. See packages/modules/RemoteKeyProvisioning for more info. Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616 Test: atest rkpd_client_test --- apex/Android.bp | 7 +++++++ apex/com.android.rkpd-file_contexts | 2 ++ build/soong/service_fuzzer_bindings.go | 2 ++ private/rkpd.te | 15 +++++++++++++++ private/service.te | 2 ++ private/service_contexts | 2 ++ 6 files changed, 30 insertions(+) create mode 100644 apex/com.android.rkpd-file_contexts create mode 100644 private/rkpd.te diff --git a/apex/Android.bp b/apex/Android.bp index 8c9db86f3..994bfd21b 100644 --- a/apex/Android.bp +++ b/apex/Android.bp @@ -272,3 +272,10 @@ filegroup { "com.android.healthconnect-file_contexts", ], } + +filegroup { + name: "com.android.rkpd-file_contexts", + srcs: [ + "com.android.rkpd-file_contexts", + ], +} diff --git a/apex/com.android.rkpd-file_contexts b/apex/com.android.rkpd-file_contexts new file mode 100644 index 000000000..4424c8af0 --- /dev/null +++ b/apex/com.android.rkpd-file_contexts @@ -0,0 +1,2 @@ +(/.*)? u:object_r:system_file:s0 +/bin/rkpd u:object_r:rkpd_exec:s0 diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index cf6b72da1..ee3264624 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -313,6 +313,8 @@ var ( "resolver": []string{}, "resources": []string{}, "restrictions": []string{}, + "rkpd.registrar": []string{}, + "rkpd.refresh": []string{}, "role": []string{}, "rollback": []string{}, "rttmanager": []string{}, diff --git a/private/rkpd.te b/private/rkpd.te new file mode 100644 index 000000000..d75638a59 --- /dev/null +++ b/private/rkpd.te @@ -0,0 +1,15 @@ +# Policies for Remote Key Provisioning Daemon (rkpd) +type rkpd, domain; +type rkpd_exec, system_file_type, exec_type, file_type; + +typeattribute rkpd coredomain; + +binder_use(rkpd) +binder_service(rkpd) + +init_daemon_domain(rkpd) + +add_service(rkpd, rkpd_registrar_service) +add_service(rkpd, rkpd_refresh_service) + + diff --git a/private/service.te b/private/service.te index 1f407a66c..84e39ae66 100644 --- a/private/service.te +++ b/private/service.te @@ -10,6 +10,8 @@ type logd_service, service_manager_type; type mediatuner_service, app_api_service, service_manager_type; type profcollectd_service, service_manager_type; type resolver_service, system_server_service, service_manager_type; +type rkpd_registrar_service, service_manager_type; +type rkpd_refresh_service, service_manager_type; type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type; type stats_service, service_manager_type; type statsbootstrap_service, system_server_service, service_manager_type; diff --git a/private/service_contexts b/private/service_contexts index 63f3ff76d..d86bf4737 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -298,6 +298,8 @@ recovery u:object_r:recovery_service:s0 resolver u:object_r:resolver_service:s0 resources u:object_r:resources_manager_service:s0 restrictions u:object_r:restrictions_service:s0 +rkpd.registrar u:object_r:rkpd_registrar_service:s0 +rkpd.refresh u:object_r:rkpd_refresh_service:s0 role u:object_r:role_service:s0 rollback u:object_r:rollback_service:s0 rttmanager u:object_r:rttmanager_service:s0