diff options
| author | Darren Krahn <dkrahn@google.com> | 2016-05-24 15:13:19 -0700 |
|---|---|---|
| committer | Darren Krahn <dkrahn@google.com> | 2016-06-06 14:59:26 -0700 |
| commit | b451420a04965812a936e23a57fd157a06f61737 (patch) | |
| tree | 517a737d4e44183b4eb9ad16022da5c12591e449 | |
| parent | fba3d1a0686099f481d50bec2057f2e6f1f77d46 (diff) | |
| download | brillo-b451420a04965812a936e23a57fd157a06f61737.tar.gz | |
Add sepolicy for tpm_manager.
Also add tpm_manager to brilloemulator.
BUG=b:25360511
Change-Id: I3f3fc6bbc99a3ed6dfb760ddb3ff64d7b6e4665a
| -rw-r--r-- | brilloemulator/base.mk | 3 | ||||
| -rw-r--r-- | sepolicy/attributes | 1 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 3 | ||||
| -rw-r--r-- | sepolicy/service.te | 1 | ||||
| -rw-r--r-- | sepolicy/service_contexts | 2 | ||||
| -rw-r--r-- | sepolicy/te_macros | 7 | ||||
| -rw-r--r-- | sepolicy/tpm_managerd.te | 26 | ||||
| -rw-r--r-- | sepolicy/trunksd_client.te | 3 |
8 files changed, 46 insertions, 0 deletions
diff --git a/brilloemulator/base.mk b/brilloemulator/base.mk index 80a47a1..6d622f2 100644 --- a/brilloemulator/base.mk +++ b/brilloemulator/base.mk @@ -38,6 +38,9 @@ PRODUCT_PACKAGES += \ libtrunks \ trunks_client \ trunksd \ + libtpm_manager \ + tpm_manager_client \ + tpm_managerd \ # Typically, BSPs define the set of HALs included for a board. # However, emulators all share this fake camera HAL and there is diff --git a/sepolicy/attributes b/sepolicy/attributes index e29c1f5..f376ccd 100644 --- a/sepolicy/attributes +++ b/sepolicy/attributes @@ -5,3 +5,4 @@ attribute shill_client; attribute update_engine_client; attribute weave_client; attribute webservd_client; +attribute trunks_client; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index e583c69..4fac369 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -46,6 +46,9 @@ /data/misc/trunksd(/.*)? u:object_r:trunksd_data_file:s0 /system/bin/trunksd u:object_r:trunksd_exec:s0 +/data/misc/tpm_managerd(/.*)? u:object_r:tpm_managerd_data_file:s0 +/system/bin/tpm_managerd u:object_r:tpm_managerd_exec:s0 + /dev/socket/nvram u:object_r:fake-nvram_socket:s0 /data/misc/fake-nvram(/.*)? u:object_r:fake-nvram_data_file:s0 /system/bin/fake-nvram u:object_r:fake-nvram_exec:s0 diff --git a/sepolicy/service.te b/sepolicy/service.te index 1925547..72da1d9 100644 --- a/sepolicy/service.te +++ b/sepolicy/service.te @@ -2,6 +2,7 @@ type metricsd_service, service_manager_type; type metricscollectorservice, service_manager_type; type peripheralman_service, service_manager_type; type trunks_service, service_manager_type; +type tpm_manager_service, service_manager_type; type weave_service, service_manager_type; type brilloaudioservice, service_manager_type; type webservd_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 3519719..525ff6d 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -2,6 +2,8 @@ android.brillo.metrics.IMetricsd u:object_r:metricsd_service:s0 android.brillo.metrics.IMetricsCollectorService u:object_r:metricscollectorservice:s0 android.os.IPeripheralManager u:object_r:peripheralman_service:s0 trunks_service u:object_r:trunks_service:s0 +android.tpm_manager.ITpmNvram u:object_r:tpm_manager_service:s0 +android.tpm_manager.ITpmOwnership u:object_r:tpm_manager_service:s0 android.brillo.UpdateEngineService u:object_r:update_engine_service:s0 weave_service u:object_r:weave_service:s0 android.brillo.brilloaudioservice.BrilloAudioService u:object_r:brilloaudioservice:s0 diff --git a/sepolicy/te_macros b/sepolicy/te_macros index 6239e6a..5a087bb 100644 --- a/sepolicy/te_macros +++ b/sepolicy/te_macros @@ -92,3 +92,10 @@ typeattribute $1 firewalld_client; define(`allow_call_shill', ` typeattribute $1 shill_client; ') + +##################################### +# allow_call_trunksd(domain) +# Allow a domain and trunksd to communicate with each other over binder. +define(`allow_call_trunksd', ` +typeattribute $1 trunks_client; +') diff --git a/sepolicy/tpm_managerd.te b/sepolicy/tpm_managerd.te new file mode 100644 index 0000000..b333276 --- /dev/null +++ b/sepolicy/tpm_managerd.te @@ -0,0 +1,26 @@ +# tpm_managerd. +type tpm_managerd, domain; +type tpm_managerd_exec, exec_type, file_type; +type tpm_managerd_data_file, file_type, data_file_type; + +brillo_domain(tpm_managerd) + +# Allow crash_reporter access to core dump files. +allow_crash_reporter(tpm_managerd) + +# Allow Minijail to drop privilege. +allow tpm_managerd self:capability { setuid setgid }; + +# Allow adding the binder services. +allow tpm_managerd tpm_manager_service:service_manager { add find }; + +# Allow communication with trunksd. +allow_call_trunksd(tpm_managerd) + +# Allow tpm_managerd to manage persistent data. +allow tpm_managerd tpm_managerd_data_file:dir rw_dir_perms; +allow tpm_managerd tpm_managerd_data_file:file create_file_perms; + +# TODO(dkrahn): Investigate why these are needed. +allow tpm_managerd proc:file r_file_perms; +allow tpm_managerd self:capability dac_override; diff --git a/sepolicy/trunksd_client.te b/sepolicy/trunksd_client.te new file mode 100644 index 0000000..287d752 --- /dev/null +++ b/sepolicy/trunksd_client.te @@ -0,0 +1,3 @@ +# trunks_client attribute. +allow trunks_client trunks_service:service_manager find; +bidi_binder_call(trunks_client, trunksd) |