Merge "Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL."
This commit is contained in:
commit
1948c11d13
@ -27,6 +27,10 @@
|
|||||||
bq_config_prop
|
bq_config_prop
|
||||||
charger_prop
|
charger_prop
|
||||||
cold_boot_done_prop
|
cold_boot_done_prop
|
||||||
|
credstore
|
||||||
|
credstore_data_file
|
||||||
|
credstore_exec
|
||||||
|
credstore_service
|
||||||
platform_compat_service
|
platform_compat_service
|
||||||
ctl_apexd_prop
|
ctl_apexd_prop
|
||||||
dataloader_manager_service
|
dataloader_manager_service
|
||||||
@ -39,7 +43,7 @@
|
|||||||
gmscore_app
|
gmscore_app
|
||||||
hal_can_bus_hwservice
|
hal_can_bus_hwservice
|
||||||
hal_can_controller_hwservice
|
hal_can_controller_hwservice
|
||||||
hal_identity_hwservice
|
hal_identity_service
|
||||||
hal_light_service
|
hal_light_service
|
||||||
hal_power_service
|
hal_power_service
|
||||||
hal_rebootescrow_service
|
hal_rebootescrow_service
|
||||||
|
6
private/credstore.te
Normal file
6
private/credstore.te
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
typeattribute credstore coredomain;
|
||||||
|
|
||||||
|
init_daemon_domain(credstore)
|
||||||
|
|
||||||
|
# talk to Identity Credential
|
||||||
|
hal_client_domain(credstore, hal_identity)
|
@ -252,6 +252,7 @@
|
|||||||
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
|
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
|
||||||
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
|
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
|
||||||
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
|
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
|
||||||
|
/system/bin/credstore u:object_r:credstore_exec:s0
|
||||||
/system/bin/keystore u:object_r:keystore_exec:s0
|
/system/bin/keystore u:object_r:keystore_exec:s0
|
||||||
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
|
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
|
||||||
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
|
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
|
||||||
@ -535,6 +536,7 @@
|
|||||||
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
|
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
|
||||||
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
|
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
|
||||||
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
|
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
|
||||||
|
/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
|
||||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||||
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
|
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
|
||||||
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
||||||
|
@ -25,7 +25,6 @@ android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_b
|
|||||||
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
|
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
|
||||||
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
|
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
|
||||||
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
|
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
|
||||||
android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
|
|
||||||
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
|
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
|
||||||
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
|
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
|
||||||
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
|
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
|
||||||
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
|
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
|
||||||
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
|
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
|
||||||
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
|
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
|
||||||
@ -12,6 +13,7 @@ aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
|
|||||||
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
|
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
|
||||||
alarm u:object_r:alarm_service:s0
|
alarm u:object_r:alarm_service:s0
|
||||||
android.os.UpdateEngineService u:object_r:update_engine_service:s0
|
android.os.UpdateEngineService u:object_r:update_engine_service:s0
|
||||||
|
android.security.identity u:object_r:credstore_service:s0
|
||||||
android.security.keystore u:object_r:keystore_service:s0
|
android.security.keystore u:object_r:keystore_service:s0
|
||||||
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
|
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
|
||||||
app_binding u:object_r:app_binding_service:s0
|
app_binding u:object_r:app_binding_service:s0
|
||||||
|
@ -293,6 +293,8 @@ allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_sta
|
|||||||
|
|
||||||
use_keystore({ appdomain -isolated_app -ephemeral_app })
|
use_keystore({ appdomain -isolated_app -ephemeral_app })
|
||||||
|
|
||||||
|
use_credstore({ appdomain -isolated_app -ephemeral_app })
|
||||||
|
|
||||||
allow appdomain console_device:chr_file { read write };
|
allow appdomain console_device:chr_file { read write };
|
||||||
|
|
||||||
# only allow unprivileged socket ioctl commands
|
# only allow unprivileged socket ioctl commands
|
||||||
@ -482,6 +484,7 @@ neverallow { appdomain -shell }
|
|||||||
neverallow { appdomain -bluetooth }
|
neverallow { appdomain -bluetooth }
|
||||||
bluetooth_data_file:dir_file_class_set
|
bluetooth_data_file:dir_file_class_set
|
||||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||||
|
neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
|
||||||
neverallow appdomain
|
neverallow appdomain
|
||||||
keystore_data_file:dir_file_class_set
|
keystore_data_file:dir_file_class_set
|
||||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||||
|
16
public/credstore.te
Normal file
16
public/credstore.te
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
type credstore, domain;
|
||||||
|
type credstore_exec, system_file_type, exec_type, file_type;
|
||||||
|
|
||||||
|
# credstore daemon
|
||||||
|
binder_use(credstore)
|
||||||
|
binder_service(credstore)
|
||||||
|
binder_call(credstore, system_server)
|
||||||
|
|
||||||
|
allow credstore credstore_data_file:dir create_dir_perms;
|
||||||
|
allow credstore credstore_data_file:file create_file_perms;
|
||||||
|
|
||||||
|
add_service(credstore, credstore_service)
|
||||||
|
allow credstore sec_key_att_app_id_provider_service:service_manager find;
|
||||||
|
allow credstore dropbox_service:service_manager find;
|
||||||
|
|
||||||
|
r_dir_file(credstore, cgroup)
|
@ -654,6 +654,7 @@ full_treble_only(`
|
|||||||
-cameraserver_service
|
-cameraserver_service
|
||||||
-drmserver_service
|
-drmserver_service
|
||||||
-hal_light_service # TODO(b/148154485) remove once all violators are gone
|
-hal_light_service # TODO(b/148154485) remove once all violators are gone
|
||||||
|
-credstore_service
|
||||||
-keystore_service
|
-keystore_service
|
||||||
-mediadrmserver_service
|
-mediadrmserver_service
|
||||||
-mediaextractor_service
|
-mediaextractor_service
|
||||||
|
@ -359,6 +359,7 @@ type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
|
|||||||
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
|
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
|
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
type camera_data_file, file_type, data_file_type, core_data_file_type;
|
type camera_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
type credstore_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
|
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
type incident_data_file, file_type, data_file_type, core_data_file_type;
|
type incident_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
type keychain_data_file, file_type, data_file_type, core_data_file_type;
|
type keychain_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
# HwBinder IPC from client to server
|
# HwBinder IPC from client to server
|
||||||
binder_call(hal_identity_client, hal_identity_server)
|
binder_call(hal_identity_client, hal_identity_server)
|
||||||
|
|
||||||
hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
|
add_service(hal_identity_server, hal_identity_service)
|
||||||
|
binder_call(hal_identity_server, servicemanager)
|
||||||
|
|
||||||
|
allow hal_identity_client hal_identity_service:service_manager find;
|
||||||
|
@ -28,7 +28,6 @@ type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
|
|||||||
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
|
|
||||||
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
|
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
|
||||||
|
@ -189,6 +189,7 @@ allow init {
|
|||||||
-app_data_file
|
-app_data_file
|
||||||
-exec_type
|
-exec_type
|
||||||
-iorapd_data_file
|
-iorapd_data_file
|
||||||
|
-credstore_data_file
|
||||||
-keystore_data_file
|
-keystore_data_file
|
||||||
-misc_logd_file
|
-misc_logd_file
|
||||||
-nativetest_data_file
|
-nativetest_data_file
|
||||||
@ -206,6 +207,7 @@ allow init {
|
|||||||
-exec_type
|
-exec_type
|
||||||
-gsi_data_file
|
-gsi_data_file
|
||||||
-iorapd_data_file
|
-iorapd_data_file
|
||||||
|
-credstore_data_file
|
||||||
-keystore_data_file
|
-keystore_data_file
|
||||||
-misc_logd_file
|
-misc_logd_file
|
||||||
-nativetest_data_file
|
-nativetest_data_file
|
||||||
@ -224,6 +226,7 @@ allow init {
|
|||||||
-exec_type
|
-exec_type
|
||||||
-gsi_data_file
|
-gsi_data_file
|
||||||
-iorapd_data_file
|
-iorapd_data_file
|
||||||
|
-credstore_data_file
|
||||||
-keystore_data_file
|
-keystore_data_file
|
||||||
-misc_logd_file
|
-misc_logd_file
|
||||||
-nativetest_data_file
|
-nativetest_data_file
|
||||||
@ -242,6 +245,7 @@ allow init {
|
|||||||
-exec_type
|
-exec_type
|
||||||
-gsi_data_file
|
-gsi_data_file
|
||||||
-iorapd_data_file
|
-iorapd_data_file
|
||||||
|
-credstore_data_file
|
||||||
-keystore_data_file
|
-keystore_data_file
|
||||||
-misc_logd_file
|
-misc_logd_file
|
||||||
-nativetest_data_file
|
-nativetest_data_file
|
||||||
@ -441,6 +445,11 @@ allow init misc_logd_file:file { open create getattr setattr write };
|
|||||||
allow init self:global_capability_class_set kill;
|
allow init self:global_capability_class_set kill;
|
||||||
allow init domain:process { getpgid sigkill signal };
|
allow init domain:process { getpgid sigkill signal };
|
||||||
|
|
||||||
|
# Init creates credstore's directory on boot, and walks through
|
||||||
|
# the directory as part of a recursive restorecon.
|
||||||
|
allow init credstore_data_file:dir { open create read getattr setattr search };
|
||||||
|
allow init credstore_data_file:file { getattr };
|
||||||
|
|
||||||
# Init creates keystore's directory on boot, and walks through
|
# Init creates keystore's directory on boot, and walks through
|
||||||
# the directory as part of a recursive restorecon.
|
# the directory as part of a recursive restorecon.
|
||||||
allow init keystore_data_file:dir { open create read getattr setattr search };
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
||||||
|
@ -16,6 +16,7 @@ type idmap_service, service_manager_type;
|
|||||||
type iorapd_service, service_manager_type;
|
type iorapd_service, service_manager_type;
|
||||||
type incident_service, service_manager_type;
|
type incident_service, service_manager_type;
|
||||||
type installd_service, service_manager_type;
|
type installd_service, service_manager_type;
|
||||||
|
type credstore_service, app_api_service, service_manager_type;
|
||||||
type keystore_service, service_manager_type;
|
type keystore_service, service_manager_type;
|
||||||
type lpdump_service, service_manager_type;
|
type lpdump_service, service_manager_type;
|
||||||
type mediaserver_service, service_manager_type;
|
type mediaserver_service, service_manager_type;
|
||||||
@ -206,6 +207,7 @@ type tethering_service, app_api_service, ephemeral_app_api_service, system_serve
|
|||||||
### HAL Services
|
### HAL Services
|
||||||
###
|
###
|
||||||
|
|
||||||
|
type hal_identity_service, vendor_service, service_manager_type;
|
||||||
type hal_light_service, vendor_service, service_manager_type;
|
type hal_light_service, vendor_service, service_manager_type;
|
||||||
type hal_power_service, vendor_service, service_manager_type;
|
type hal_power_service, vendor_service, service_manager_type;
|
||||||
type hal_rebootescrow_service, vendor_service, service_manager_type;
|
type hal_rebootescrow_service, vendor_service, service_manager_type;
|
||||||
|
@ -599,6 +599,18 @@ define(`use_keystore', `
|
|||||||
binder_call(keystore, $1)
|
binder_call(keystore, $1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
# use_credstore(domain)
|
||||||
|
# Ability to use credstore.
|
||||||
|
define(`use_credstore', `
|
||||||
|
allow credstore $1:dir search;
|
||||||
|
allow credstore $1:file { read open };
|
||||||
|
allow credstore $1:process getattr;
|
||||||
|
allow $1 credstore_service:service_manager find;
|
||||||
|
binder_call($1, credstore)
|
||||||
|
binder_call(credstore, $1)
|
||||||
|
')
|
||||||
|
|
||||||
###########################################
|
###########################################
|
||||||
# use_drmservice(domain)
|
# use_drmservice(domain)
|
||||||
# Ability to use DrmService which requires
|
# Ability to use DrmService which requires
|
||||||
|
2
vendor/file_contexts
vendored
2
vendor/file_contexts
vendored
@ -36,7 +36,7 @@
|
|||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
|
||||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
|
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
|
||||||
|
Loading…
Reference in New Issue
Block a user