diff options
| author | Kenny Root <kroot@google.com> | 2020-06-09 11:48:32 -0700 |
|---|---|---|
| committer | Kenny Root <kroot@google.com> | 2020-07-07 14:48:28 -0700 |
| commit | b498267fc3687b3c90539c7833b1154c5e83d4fb (patch) | |
| tree | 779a9cfb3563acaa0413913f7970615cf80a2e7c | |
| parent | a53c5bc9503303405919bfebfb655cc2593508df (diff) | |
| download | coral-sepolicy-b498267fc3687b3c90539c7833b1154c5e83d4fb.tar.gz | |
Citadel: move rules to common directory
Move all the common Citadel rules to a directory where they can all be
changed simultaneously and avoid accidental version skew between the
devices.
Test: build affected devices locally
Bug: 143330574
Change-Id: I238f5211ccb606af13fb429134d76eae847a7d8e
| -rw-r--r-- | coral-sepolicy.mk | 3 | ||||
| -rw-r--r-- | vendor/google/citadel_provision.te | 42 | ||||
| -rw-r--r-- | vendor/google/citadeld.te | 18 | ||||
| -rw-r--r-- | vendor/google/device.te | 1 | ||||
| -rw-r--r-- | vendor/google/file_contexts | 11 | ||||
| -rw-r--r-- | vendor/google/hal_keymaster_citadel.te | 11 | ||||
| -rw-r--r-- | vendor/google/hal_rebootescrow_citadel.te | 17 | ||||
| -rw-r--r-- | vendor/google/hal_weaver_citadel.te | 11 | ||||
| -rw-r--r-- | vendor/google/init_citadel.te | 21 | ||||
| -rw-r--r-- | vendor/google/recovery.te | 1 | ||||
| -rw-r--r-- | vendor/google/vndservice.te | 1 | ||||
| -rw-r--r-- | vendor/google/vndservice_contexts | 1 | ||||
| -rw-r--r-- | vendor/google/wait_for_strongbox.te | 9 |
13 files changed, 23 insertions, 124 deletions
diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk index b4da01c..4d1a0e2 100644 --- a/coral-sepolicy.mk +++ b/coral-sepolicy.mk @@ -8,3 +8,6 @@ BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150 BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/verizon + +# Pixel-wide +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel diff --git a/vendor/google/citadel_provision.te b/vendor/google/citadel_provision.te index d178a79..803195d 100644 --- a/vendor/google/citadel_provision.te +++ b/vendor/google/citadel_provision.te @@ -1,31 +1,25 @@ -type citadel_provision, domain; -type citadel_provision_exec, exec_type, vendor_file_type, file_type; - # Extra permissions for userdebug that allow lazy-provisioning of # keymaster preshared-keys, used for faceauth authtoken enforcement. # (i.e. for EVT devices that leave factory unprovisioned). userdebug_or_eng(` + vndbinder_use(citadel_provision) + binder_call(citadel_provision, citadeld) + allow citadel_provision citadeld_service:service_manager find; + hwbinder_use(citadel_provision) + get_prop(citadel_provision, hwservicemanager_prop) + allow citadel_provision hidl_manager_hwservice:hwservice_manager find; -init_daemon_domain(citadel_provision) - -vndbinder_use(citadel_provision) -binder_call(citadel_provision, citadeld) -allow citadel_provision citadeld_service:service_manager find; -hwbinder_use(citadel_provision) -get_prop(citadel_provision, hwservicemanager_prop) -allow citadel_provision hidl_manager_hwservice:hwservice_manager find; - -allow citadel_provision vndbinder_device:chr_file ioctl; -allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl; -allow citadel_provision ion_device:chr_file r_file_perms; -allow citadel_provision tee_device:chr_file rw_file_perms; -get_prop(citadel_provision, vendor_tee_listener_prop); + allow citadel_provision vndbinder_device:chr_file ioctl; + allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl; + allow citadel_provision ion_device:chr_file r_file_perms; + allow citadel_provision tee_device:chr_file rw_file_perms; + get_prop(citadel_provision, vendor_tee_listener_prop); -dontaudit citadel_provision sysfs_esoc:dir r_dir_perms; -dontaudit citadel_provision sysfs_esoc:file r_file_perms; -dontaudit citadel_provision sysfs_msm_subsys:dir r_dir_perms; -dontaudit citadel_provision sysfs_ssr:file r_file_perms; -dontaudit citadel_provision sysfs:file r_file_perms; -dontaudit citadel_provision sysfs_faceauth:dir r_dir_perms; -dontaudit citadel_provision sysfs_faceauth:file r_file_perms; + dontaudit citadel_provision sysfs_esoc:dir r_dir_perms; + dontaudit citadel_provision sysfs_esoc:file r_file_perms; + dontaudit citadel_provision sysfs_msm_subsys:dir r_dir_perms; + dontaudit citadel_provision sysfs_ssr:file r_file_perms; + dontaudit citadel_provision sysfs:file r_file_perms; + dontaudit citadel_provision sysfs_faceauth:dir r_dir_perms; + dontaudit citadel_provision sysfs_faceauth:file r_file_perms; ') diff --git a/vendor/google/citadeld.te b/vendor/google/citadeld.te index 7f6a31f..dc18d24 100644 --- a/vendor/google/citadeld.te +++ b/vendor/google/citadeld.te @@ -1,20 +1,2 @@ -type citadeld, domain; -type citadeld_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(citadeld) -add_service(citadeld, citadeld_service) - -allow citadeld citadel_device:chr_file rw_file_perms; - -allow citadeld hal_power_stats_default:binder { call transfer }; allow citadeld power_stats_service:service_manager find; - allow citadeld debugfs_ipc:dir search; - -# Let citadeld find and use statsd. -hwbinder_use(citadeld) -get_prop(citadeld, hwservicemanager_prop) -allow citadeld fwk_stats_hwservice:hwservice_manager find; -binder_call(citadeld, stats_service_server) - -init_daemon_domain(citadeld) diff --git a/vendor/google/device.te b/vendor/google/device.te index 08e8154..03af45f 100644 --- a/vendor/google/device.te +++ b/vendor/google/device.te @@ -1,7 +1,6 @@ type abc_tpu_device, dev_type; type airbrush_device, dev_type, mlstrustedobject; type airbrush_sm_device, dev_type, mlstrustedobject; -type citadel_device, dev_type; type faceauth_device, dev_type; type ipu_device, dev_type, mlstrustedobject; type touch_offload_device, dev_type; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 4fd4689..c6de807 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -6,7 +6,6 @@ /dev/access-metadata u:object_r:ramoops_device:s0 /dev/access-ramoops u:object_r:ramoops_device:s0 /dev/block/zram0 u:object_r:swap_block_device:s0 -/dev/citadel0 u:object_r:citadel_device:s0 /dev/faceauth u:object_r:faceauth_device:s0 /dev/ipu u:object_r:ipu_device:s0 /dev/maxfg_history u:object_r:maxfg_device:s0 @@ -32,22 +31,13 @@ /vendor/bin/hw/android\.hardware\.biometrics\.face@1\.0-service\.google u:object_r:hal_face_default_exec:s0 /vendor/bin/hw/android\.hardware\.camera\.provider@2\.6-service-google u:object_r:hal_camera_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0 -/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.2-service\.coral u:object_r:hal_usb_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 -/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 -/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 -/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0 -/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 /vendor/bin/hw/hardware\.google\.light@1\.1-service u:object_r:hal_light_default_exec:s0 /vendor/bin/hw/vendor\.google\.airbrush@1\.0-service u:object_r:airbrush_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 -/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0 /vendor/bin/color_init u:object_r:color_init_exec:s0 /vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 /vendor/bin/modem_svc u:object_r:modem_svc_exec:s0 @@ -118,7 +108,6 @@ /data/vendor/hal_neuralnetworks_darwinn/hal_camera(/.*)? u:object_r:hal_neuralnetworks_darwinn_hal_camera_data_file:s0 /data/vendor/camera_calibration(/.*)? u:object_r:camera_calibration_vendor_data_file:s0 /data/vendor/face(/.*)? u:object_r:face_vendor_data_file:s0 -/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 # dev socket node diff --git a/vendor/google/hal_keymaster_citadel.te b/vendor/google/hal_keymaster_citadel.te deleted file mode 100644 index dd0a735..0000000 --- a/vendor/google/hal_keymaster_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_keymaster_citadel, domain; -type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_keymaster_citadel) -binder_call(hal_keymaster_citadel, citadeld) -allow hal_keymaster_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_keymaster_citadel, hal_keymaster) -init_daemon_domain(hal_keymaster_citadel) - -get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop) diff --git a/vendor/google/hal_rebootescrow_citadel.te b/vendor/google/hal_rebootescrow_citadel.te deleted file mode 100644 index 4ca8a1e..0000000 --- a/vendor/google/hal_rebootescrow_citadel.te +++ /dev/null @@ -1,17 +0,0 @@ -type hal_rebootescrow_citadel, domain; -type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type; -type hal_rebootescrow_citadel_data_file, file_type, data_file_type; - -hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow) - -vndbinder_use(hal_rebootescrow_citadel) -binder_call(hal_rebootescrow_citadel, citadeld) -allow hal_rebootescrow_citadel citadeld_service:service_manager find; - -hal_client_domain(hal_rebootescrow_citadel, hal_keymaster) - -init_daemon_domain(hal_rebootescrow_citadel) - -allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms; -allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms; - diff --git a/vendor/google/hal_weaver_citadel.te b/vendor/google/hal_weaver_citadel.te deleted file mode 100644 index aa16960..0000000 --- a/vendor/google/hal_weaver_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_weaver_citadel, domain; -type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_weaver_citadel) -binder_call(hal_weaver_citadel, citadeld) -allow hal_weaver_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_weaver_citadel, hal_weaver) -hal_server_domain(hal_weaver_citadel, hal_oemlock) -hal_server_domain(hal_weaver_citadel, hal_authsecret) -init_daemon_domain(hal_weaver_citadel) diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te index 3306804..f08ea1f 100644 --- a/vendor/google/init_citadel.te +++ b/vendor/google/init_citadel.te @@ -1,20 +1,3 @@ -type init_citadel, domain; -type init_citadel_exec, exec_type, vendor_file_type, file_type; -type citadel_updater_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init_citadel) - -vndbinder_use(init_citadel) -binder_call(init_citadel, citadeld) -allow init_citadel citadeld_service:service_manager find; - -# Many standard utils are actually vendor_toolbox (like xxd) -allow init_citadel vendor_toolbox_exec:file rx_file_perms; - -# init_citadel needs to invoke citadel_updater -allow init_citadel citadel_updater_exec:file rx_file_perms; -allow init_citadel citadel_device:chr_file rw_file_perms; - -# We also might need to read the board-id from a sysfs file, if -# we can't determine it from getprop. +# init_citadel might need to read the board-id from a sysfs file, if we +# can't determine it from getprop. allow init_citadel sysfs_msm_boardid:file r_file_perms; diff --git a/vendor/google/recovery.te b/vendor/google/recovery.te index 7e7925c..39cb557 100644 --- a/vendor/google/recovery.te +++ b/vendor/google/recovery.te @@ -1,5 +1,4 @@ recovery_only(` - allow recovery citadel_device:chr_file rw_file_perms; allow recovery sg_device:chr_file rw_file_perms; allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; ') diff --git a/vendor/google/vndservice.te b/vendor/google/vndservice.te index 8047846..33ce7dd 100644 --- a/vendor/google/vndservice.te +++ b/vendor/google/vndservice.te @@ -1,4 +1,3 @@ -type citadeld_service, vndservice_manager_type; type rls_service, vndservice_manager_type; type power_stats_service, vndservice_manager_type; type airbrush_faceauth_service, vndservice_manager_type; diff --git a/vendor/google/vndservice_contexts b/vendor/google/vndservice_contexts index f0744bd..c59c217 100644 --- a/vendor/google/vndservice_contexts +++ b/vendor/google/vndservice_contexts @@ -1,4 +1,3 @@ -android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 rlsservice u:object_r:rls_service:s0 airbrush_faceauth u:object_r:airbrush_faceauth_service:s0 airbrush_tpu u:object_r:airbrush_tpu_service:s0 diff --git a/vendor/google/wait_for_strongbox.te b/vendor/google/wait_for_strongbox.te deleted file mode 100644 index c9586c8..0000000 --- a/vendor/google/wait_for_strongbox.te +++ /dev/null @@ -1,9 +0,0 @@ -# wait_for_strongbox service -type wait_for_strongbox, domain; -type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(wait_for_strongbox) - -hal_client_domain(wait_for_strongbox, hal_keymaster) - -allow wait_for_strongbox kmsg_device:chr_file w_file_perms;
\ No newline at end of file |