Commit graph

28 commits

Author SHA1 Message Date
Alice Wang
e79bbf9cf8 Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL"
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22

Changes from the reverted cl aosp/2812455:
 - The AIDL service type has been renamed from avf_* to hal_* to be
   consistent with the others.

 - The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service,
   for the IRPC/avf service, has been set up with the server/client model
   for AIDL Hal. The virtualizationservice is declared as server and
   RKPD is declared as client to access the service instead of raw
   service permission setup as in the reverted cl. This is aligned
   with the AIDL Hal configuration recommendation.

 - Since the existing type for IRPC hal_remotelyprovisionedcomponent is
   already associated with keymint server/client and has specific
   permission requirements, and some of the keymint clients might not
   need the AVF Hal. We decided to create a new AIDL service type
   instead of reusing the exisiting keymint service type.

Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Bug: 312427637
Bug: 310744536
Bug: 299257581
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad
2023-11-22 08:21:27 +00:00
Eric Biggers
cc5cb431ee Stop granting permissions on keystore_key class
When keystore was replaced with keystore2 in Android 12, the SELinux
class of keystore keys was changed from keystore_key to keystore2_key.
However, the rules that granted access to keystore_key were never
removed.  This CL removes them, as they are no longer needed.

Don't actually remove the class and its permissions from
private/security_classes and private/access_vectors.  That would break
the build because they're referenced by rules in prebuilts/.

Bug: 171305684
Test: atest CtsKeystoreTestCases
Flag: exempt, removing obsolete code
Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3
2023-10-16 22:22:54 +00:00
Rob Seymour
9833c60b35 Merge "Allow service managers access to apex data." 2022-10-14 18:04:46 +00:00
Vikram Gaur
e1c49f5524 Add SELinux policies for remote_key_provisioning_native namespace.
We need to separate out the feature flags in use by remote key
provisioning daemon (RKPD). For this, I have set up a new namespace
remote_key_provisioning_native. This change adds the SELinux policies to
make sure appropriate permissions are present when accessing the feature
flag for read/write.

Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7
Test: TreeHugger
2022-09-29 21:32:58 +00:00
Rob Seymour
ecbadbb141 Allow service managers access to apex data.
VintfObject will monitor for /apex directory for VINTF data.
Add permissions for service managers to read this data.

Bug: 239055387
Test: m && boot
Change-Id: I179e008dadfcb323cde58a8a460bcfa2825a7b4f
2022-09-23 21:33:58 +00:00
Paul Crowley
283aef2860 Add ro.keystore.boot_level_key.strategy
Bug: 241241178
Test: set property on Cuttlefish, check logs for strategy used.
Change-Id: Ifaaec811316c43fdae232f9a08c5d862011ccc71
2022-08-24 21:38:36 -07:00
Max Bires
aaacfdb054 Add ro.remote_provisioning.*.rkp_only properties.
These properties are used to inform keystore2 and the RemoteProvisioner
app how they should behave in the system in the event that RKP keys are
exhausted. The usual behavior in a hybrid system is not to take any
action and fallback to the factory provisioned key if key attestation is
requested and no remotely provisioned keys are available.

However, there are instances where this could happen on a device that
was intended to be RKP only, in which case the system needs to know that
it should go ahead and attempt to remotely provision new certificates or
throw an error in the case where none are available.

Test: New properties are accessible from the two domains
Change-Id: I8d6c9e650566499bf08cfda2f71c64d5c2b26fd6
2022-04-04 11:23:12 -07:00
Hasini Gunasinghe
4fa6b1a037 Allow keystore to read and write keystore.crash_count system property.
Additionally, remove the obsolete permission which allows keystore to
register callbacks with statsd. There's no direct communication between
keystore and statsd now.

Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: statsd TestDrive script.
Merged-In: I31d202751ba78bb547822020260a7e366cb8826e

Change-Id: I31d202751ba78bb547822020260a7e366cb8826e
2021-07-08 17:54:58 +00:00
Paul Crowley
4a7945290d Remove wait_for_keymaster and references
No longer needed now init listens for property changes on a
separate thread.

Some references to wait_for_keymaster survive: in order to avoid
trouble downstream, we keep the definition of the `wait_for_keymaster`
and `wait_for_keymaster_exec` types, but remove all their permissions,
and of course prebuilds and compat cil files are unchanged.

Bug: 186580823
Test: Cuttlefish boots successfully
Change-Id: Id97fc2668743fb58dfd10c75a4f4c4d0348284ce
2021-06-17 11:12:16 -07:00
Seth Moore
bad4165f25 Enable pull metrics from keystore
Allow keystore to call statsd.
Allow statsd to call back to keystore to pull atoms.

Bug: 172013262
Test: atest system/keystore/keystore2
Test: statsd_testdrive 10103
Change-Id: I2d1739e257e95b37cc61f655f98f7a2724df7d76
2021-04-13 22:45:01 +00:00
Satya Tangirala
a999004528 Keystore 2.0: sepolicy changes for vold to use keystore2
Vold needs to be able to search for keystore2 and keystore2 maintenance
services, and call methods provided by those services.

Bug: 181910578
Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be
2021-04-07 02:14:33 -07:00
Paul Crowley
b0c5571da6 init sets keystore.boot_level, keystore reads
Bug: 176450483
Test: init can set, and keystore2 read, keystore.boot_level
Test: `adb shell getprop -Z | grep boot_level` returns
      [keystore.boot_level]: [u:object_r:keystore_listen_prop:s0]
Change-Id: Iedb37db19e9153995800fc97de6ee8c536179caa
2021-02-23 21:08:05 -08:00
Janis Danisevskis
bd464a9543 Allow keystore to talk to keymint
Test: None
Change-Id: Icb1f60b3c2971488a6a890c063d4e4babab2b2f2
2020-12-15 08:25:42 -08:00
Xin Li
11da9e6792 Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: I6d0b1be1a46288fff42c3689dbef2f7443efebcc
Change-Id: I133180d20457b9f805f3da0915e2cf6e48229132
2020-08-29 01:45:24 -07:00
Hasini Gunasinghe
83e1f14f93 Allow keystore to write to statsd.
Keystore logging is migrated to use statsd. Therefore,
	keystore needs permission to write to statsd.

Test: Treehugger passes.
Bug: 157664923
Change-Id: If15ee3eb2ae7036dbaccd31525feadb8f54c6162
Merged-In: I2fb61fd7e9732191e6991f199d04b5425b637830
2020-08-07 16:35:18 +00:00
Janis Danisevskis
c40681f1b5 Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.

Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-08-05 16:11:48 +00:00
Hasini Gunasinghe
0112daa9bf Allow keystore to write to statsd.
Keystore logging is migrated to use statsd. Therefore,
	keystore needs permission to write to statsd.

Test: Treehugger passes.
Bug: 157664923
Change-Id: I2fb61fd7e9732191e6991f199d04b5425b637830
2020-06-11 17:49:40 +00:00
Roshan Pius
31f511ae08 sepolicy: Move wifi keystore HAL service to wificond
Bug: 142969896
Test: Verified connecting to passpoint networks.
Change-Id: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
Merged-In: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
2019-10-28 14:06:17 -07:00
Roshan Pius
ce0df3b9d5 sepolicy: Move wifi keystore HAL service to wificond
Bug: 142969896
Test: Verified connecting to passpoint networks.
Change-Id: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
2019-10-28 13:53:41 -07:00
Pavel Grafov
c5b3330c30 Allow Keystore to check security logging property.
This is needed to allow it to log audit events.

Test: manual, import a key and see adb shell su system logcat -b security
Bug: 70886042
Change-Id: Icd3c13172d47f8eac7c2a97c306d8c654e634f88
2018-01-24 19:49:18 +00:00
Janis Danisevskis
97c56bdd78 Added default policy for Confirmation UI HAL
Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53
2018-01-24 10:22:40 -08:00
Jeff Vander Stoep
d22cbc8ffb Merge "domain_deprecated is dead"
am: f1b06df3d6

Change-Id: I0d98e192600c94f983d7b0347715e2ba6a8b8dab
2017-07-28 23:22:43 +00:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Jeff Vander Stoep
76aab82cb3 Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:37:59 -07:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00