diff options
author | Kenny Root <kroot@google.com> | 2020-05-31 16:00:41 -0700 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2020-06-02 09:29:56 -0700 |
commit | 4d3a722898dc8fa5b8d116210dfbbd289915e21c (patch) | |
tree | 68ec1b9a305bea4e5e0e85d2c64dc9258fd8608e | |
parent | a764618715708011c448acb09d6002748004bd0d (diff) | |
download | crosshatch-sepolicy-4d3a722898dc8fa5b8d116210dfbbd289915e21c.tar.gz |
Resume-on-Reboot: Citadel implementation
This is an implementation of the RebootEscrow HAL for Citadel. It
escrows a key-encryption-key for the synthetic password during an OTA.
Bug: 157857322
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ResumeOnRebootHostTest
Change-Id: I88fcb4a79c1748de033090da9e854804cd23c65e
-rw-r--r-- | vendor/google/file_contexts | 3 | ||||
-rw-r--r-- | vendor/google/hal_rebootescrow_citadel.te | 16 |
2 files changed, 18 insertions, 1 deletions
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 890d06e..fad5dfe 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -1,6 +1,5 @@ # dev nodes /dev/citadel0 u:object_r:citadel_device:s0 -/dev/access-kregistry u:object_r:rebootescrow_device:s0 /dev/access-metadata u:object_r:ramoops_device:s0 /dev/access-ramoops u:object_r:ramoops_device:s0 /dev/maxfg_history u:object_r:maxfg_device:s0 @@ -11,6 +10,7 @@ /vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0 /vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 /vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 /vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0 @@ -25,6 +25,7 @@ /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 +/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0 /data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/vendor/google/hal_rebootescrow_citadel.te b/vendor/google/hal_rebootescrow_citadel.te new file mode 100644 index 0000000..401a985 --- /dev/null +++ b/vendor/google/hal_rebootescrow_citadel.te @@ -0,0 +1,16 @@ +type hal_rebootescrow_citadel, domain; +type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type; +type hal_rebootescrow_citadel_data_file, file_type, data_file_type; + +hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow) + +vndbinder_use(hal_rebootescrow_citadel) +binder_call(hal_rebootescrow_citadel, citadeld) +allow hal_rebootescrow_citadel citadeld_service:service_manager find; + +hal_client_domain(hal_rebootescrow_citadel, hal_keymaster) + +init_daemon_domain(hal_rebootescrow_citadel) + +allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms; +allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms; |