Merge "Touch up microdroid sepolicy after removing keystore"

2022-01-28 17:53:34 +00:00 · 2022-01-28 17:53:34 +00:00 · ae1acbe12d
commit ae1acbe12d
parent d5bd56d11f 6f2529c01b
5 changed files with 149 additions and 1 deletions
--- a/microdroid/reqd_mask/access_vectors
+++ b/microdroid/reqd_mask/access_vectors
@ -684,6 +684,68 @@ class service_manager
 	list
 }

+class hwservice_manager
+{
+	add
+	find
+	list
+}
+
+class keystore_key
+{
+	get_state
+	get
+	insert
+	delete
+	exist
+	list
+	reset
+	password
+	lock
+	unlock
+	is_empty
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+	add_auth
+	user_changed
+	gen_unique_id
+}
+
+class keystore2
+{
+	add_auth
+	change_password
+	change_user
+	clear_ns
+	clear_uid
+	early_boot_ended
+	get_auth_token
+	get_state
+	list
+	lock
+	report_off_body
+	reset
+	unlock
+}
+
+class keystore2_key
+{
+	convert_storage_key_to_ephemeral
+	delete
+	gen_unique_id
+	get_info
+	grant
+	manage_blob
+	rebind
+	req_forced_op
+	update
+	use
+	use_dev_id
+}
+
 class drmservice {
 	consumeRights
 	setPlaybackStatus
--- a/microdroid/reqd_mask/security_classes
+++ b/microdroid/reqd_mask/security_classes
@ -151,5 +151,17 @@ class property_service          # userspace
 # Service manager
 class service_manager           # userspace

+# hardware service manager      # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key              # userspace
+
+# Keystore 2.0 permissions
+class keystore2                 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key             # userspace
+
 class drmservice                # userspace
 # FLASK
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@ -684,6 +684,68 @@ class service_manager
 	list
 }

+class hwservice_manager
+{
+	add
+	find
+	list
+}
+
+class keystore_key
+{
+	get_state
+	get
+	insert
+	delete
+	exist
+	list
+	reset
+	password
+	lock
+	unlock
+	is_empty
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+	add_auth
+	user_changed
+	gen_unique_id
+}
+
+class keystore2
+{
+	add_auth
+	change_password
+	change_user
+	clear_ns
+	clear_uid
+	early_boot_ended
+	get_auth_token
+	get_state
+	list
+	lock
+	report_off_body
+	reset
+	unlock
+}
+
+class keystore2_key
+{
+	convert_storage_key_to_ephemeral
+	delete
+	gen_unique_id
+	get_info
+	grant
+	manage_blob
+	rebind
+	req_forced_op
+	update
+	use
+	use_dev_id
+}
+
 class diced
 {
 	demote
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@ -47,7 +47,7 @@ allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;

 # /dev/binder can be accessed by ... everyone! :)
-allow { domain } binder_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;

 # Restrict binder ioctls to an allowlist. Additional ioctl commands may be
 # added to individual domains, but this sets safe defaults for all processes.
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@ -151,6 +151,18 @@ class property_service          # userspace
 # Service manager
 class service_manager           # userspace

+# hardware service manager      # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key              # userspace
+
+# Keystore 2.0 permissions
+class keystore2                 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key             # userspace
+
 # Diced permissions
 class diced                     # userspace