From 02bf814aa24e4b69c5fa356958f9de91badbde26 Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Fri, 17 Jan 2020 16:47:53 -0500 Subject: [PATCH] Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL. The credstore service is a system service which backs the android.security.identity.* Framework APIs. It essentially calls into the Identity Credential HAL while providing persistent storage for credentials. Bug: 111446262 Test: atest android.security.identity.cts Test: VtsHalIdentityTargetTest Test: android.hardware.identity-support-lib-test Change-Id: I5cd9a6ae810e764326355c0842e88c490f214c60 --- private/compat/29.0/29.0.ignore.cil | 6 +++++- private/credstore.te | 6 ++++++ private/file_contexts | 2 ++ private/hwservice_contexts | 1 - private/service_contexts | 2 ++ public/app.te | 3 +++ public/credstore.te | 16 ++++++++++++++++ public/domain.te | 1 + public/file.te | 1 + public/hal_identity.te | 5 ++++- public/hwservice.te | 1 - public/init.te | 9 +++++++++ public/service.te | 2 ++ public/te_macros | 12 ++++++++++++ vendor/file_contexts | 2 +- 15 files changed, 64 insertions(+), 5 deletions(-) create mode 100644 private/credstore.te create mode 100644 public/credstore.te diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index f28757ee5..473907dea 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -27,6 +27,10 @@ bq_config_prop charger_prop cold_boot_done_prop + credstore + credstore_data_file + credstore_exec + credstore_service platform_compat_service ctl_apexd_prop dataloader_manager_service @@ -39,7 +43,7 @@ gmscore_app hal_can_bus_hwservice hal_can_controller_hwservice - hal_identity_hwservice + hal_identity_service hal_light_service hal_power_service hal_rebootescrow_service diff --git a/private/credstore.te b/private/credstore.te new file mode 100644 index 000000000..8d87e2f33 --- /dev/null +++ b/private/credstore.te @@ -0,0 +1,6 @@ +typeattribute credstore coredomain; + +init_daemon_domain(credstore) + +# talk to Identity Credential +hal_client_domain(credstore, hal_identity) diff --git a/private/file_contexts b/private/file_contexts index 3955708ba..5a5378204 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -252,6 +252,7 @@ /system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0 /system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0 /system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0 +/system/bin/credstore u:object_r:credstore_exec:s0 /system/bin/keystore u:object_r:keystore_exec:s0 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0 @@ -535,6 +536,7 @@ /data/misc/incidents(/.*)? u:object_r:incident_data_file:s0 /data/misc/installd(/.*)? u:object_r:install_data_file:s0 /data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0 +/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0 /data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 /data/misc/logd(/.*)? u:object_r:misc_logd_file:s0 /data/misc/media(/.*)? u:object_r:media_data_file:s0 diff --git a/private/hwservice_contexts b/private/hwservice_contexts index 238fd532c..b2cad3f1e 100644 --- a/private/hwservice_contexts +++ b/private/hwservice_contexts @@ -25,7 +25,6 @@ android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_b android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0 android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0 -android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0 android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0 android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0 android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0 diff --git a/private/service_contexts b/private/service_contexts index 19d3b0dfa..21067ec49 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -1,3 +1,4 @@ +android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0 android.hardware.light.ILights/default u:object_r:hal_light_service:s0 android.hardware.power.IPower/default u:object_r:hal_power_service:s0 android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0 @@ -12,6 +13,7 @@ aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0 aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0 alarm u:object_r:alarm_service:s0 android.os.UpdateEngineService u:object_r:update_engine_service:s0 +android.security.identity u:object_r:credstore_service:s0 android.security.keystore u:object_r:keystore_service:s0 android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 app_binding u:object_r:app_binding_service:s0 diff --git a/public/app.te b/public/app.te index a1561839b..4ceb4a66d 100644 --- a/public/app.te +++ b/public/app.te @@ -293,6 +293,8 @@ allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_sta use_keystore({ appdomain -isolated_app -ephemeral_app }) +use_credstore({ appdomain -isolated_app -ephemeral_app }) + allow appdomain console_device:chr_file { read write }; # only allow unprivileged socket ioctl commands @@ -482,6 +484,7 @@ neverallow { appdomain -shell } neverallow { appdomain -bluetooth } bluetooth_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *; neverallow appdomain keystore_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; diff --git a/public/credstore.te b/public/credstore.te new file mode 100644 index 000000000..db16a8dcb --- /dev/null +++ b/public/credstore.te @@ -0,0 +1,16 @@ +type credstore, domain; +type credstore_exec, system_file_type, exec_type, file_type; + +# credstore daemon +binder_use(credstore) +binder_service(credstore) +binder_call(credstore, system_server) + +allow credstore credstore_data_file:dir create_dir_perms; +allow credstore credstore_data_file:file create_file_perms; + +add_service(credstore, credstore_service) +allow credstore sec_key_att_app_id_provider_service:service_manager find; +allow credstore dropbox_service:service_manager find; + +r_dir_file(credstore, cgroup) diff --git a/public/domain.te b/public/domain.te index f2af7b1c2..455b22fa2 100644 --- a/public/domain.te +++ b/public/domain.te @@ -654,6 +654,7 @@ full_treble_only(` -cameraserver_service -drmserver_service -hal_light_service # TODO(b/148154485) remove once all violators are gone + -credstore_service -keystore_service -mediadrmserver_service -mediaextractor_service diff --git a/public/file.te b/public/file.te index 0585afd01..fca4f6f60 100644 --- a/public/file.te +++ b/public/file.te @@ -357,6 +357,7 @@ type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; type bootstat_data_file, file_type, data_file_type, core_data_file_type; type boottrace_data_file, file_type, data_file_type, core_data_file_type; type camera_data_file, file_type, data_file_type, core_data_file_type; +type credstore_data_file, file_type, data_file_type, core_data_file_type; type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; type incident_data_file, file_type, data_file_type, core_data_file_type; type keychain_data_file, file_type, data_file_type, core_data_file_type; diff --git a/public/hal_identity.te b/public/hal_identity.te index a8df186fb..3a95743c2 100644 --- a/public/hal_identity.te +++ b/public/hal_identity.te @@ -1,4 +1,7 @@ # HwBinder IPC from client to server binder_call(hal_identity_client, hal_identity_server) -hal_attribute_hwservice(hal_identity, hal_identity_hwservice) +add_service(hal_identity_server, hal_identity_service) +binder_call(hal_identity_server, servicemanager) + +allow hal_identity_client hal_identity_service:service_manager find; diff --git a/public/hwservice.te b/public/hwservice.te index 3619a6355..34813852e 100644 --- a/public/hwservice.te +++ b/public/hwservice.te @@ -28,7 +28,6 @@ type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice; type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice; type hal_health_hwservice, hwservice_manager_type, protected_hwservice; type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice; -type hal_identity_hwservice, hwservice_manager_type, protected_hwservice; type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice; type hal_ir_hwservice, hwservice_manager_type, protected_hwservice; type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice; diff --git a/public/init.te b/public/init.te index 19c7e4bd6..8fe877db3 100644 --- a/public/init.te +++ b/public/init.te @@ -189,6 +189,7 @@ allow init { -app_data_file -exec_type -iorapd_data_file + -credstore_data_file -keystore_data_file -misc_logd_file -nativetest_data_file @@ -206,6 +207,7 @@ allow init { -exec_type -gsi_data_file -iorapd_data_file + -credstore_data_file -keystore_data_file -misc_logd_file -nativetest_data_file @@ -224,6 +226,7 @@ allow init { -exec_type -gsi_data_file -iorapd_data_file + -credstore_data_file -keystore_data_file -misc_logd_file -nativetest_data_file @@ -242,6 +245,7 @@ allow init { -exec_type -gsi_data_file -iorapd_data_file + -credstore_data_file -keystore_data_file -misc_logd_file -nativetest_data_file @@ -441,6 +445,11 @@ allow init misc_logd_file:file { open create getattr setattr write }; allow init self:global_capability_class_set kill; allow init domain:process { getpgid sigkill signal }; +# Init creates credstore's directory on boot, and walks through +# the directory as part of a recursive restorecon. +allow init credstore_data_file:dir { open create read getattr setattr search }; +allow init credstore_data_file:file { getattr }; + # Init creates keystore's directory on boot, and walks through # the directory as part of a recursive restorecon. allow init keystore_data_file:dir { open create read getattr setattr search }; diff --git a/public/service.te b/public/service.te index 79cce0e01..0b08028e6 100644 --- a/public/service.te +++ b/public/service.te @@ -16,6 +16,7 @@ type idmap_service, service_manager_type; type iorapd_service, service_manager_type; type incident_service, service_manager_type; type installd_service, service_manager_type; +type credstore_service, app_api_service, service_manager_type; type keystore_service, service_manager_type; type lpdump_service, service_manager_type; type mediaserver_service, service_manager_type; @@ -206,6 +207,7 @@ type tethering_service, app_api_service, ephemeral_app_api_service, system_serve ### HAL Services ### +type hal_identity_service, vendor_service, service_manager_type; type hal_light_service, vendor_service, service_manager_type; type hal_power_service, vendor_service, service_manager_type; type hal_rebootescrow_service, vendor_service, service_manager_type; diff --git a/public/te_macros b/public/te_macros index 89061a0c6..a9dea9222 100644 --- a/public/te_macros +++ b/public/te_macros @@ -599,6 +599,18 @@ define(`use_keystore', ` binder_call(keystore, $1) ') +##################################### +# use_credstore(domain) +# Ability to use credstore. +define(`use_credstore', ` + allow credstore $1:dir search; + allow credstore $1:file { read open }; + allow credstore $1:process getattr; + allow $1 credstore_service:service_manager find; + binder_call($1, credstore) + binder_call(credstore, $1) +') + ########################################### # use_drmservice(domain) # Ability to use DrmService which requires diff --git a/vendor/file_contexts b/vendor/file_contexts index c5a99382f..bdc29e022 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -36,7 +36,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0