diff options
author | Kenny Root <kroot@google.com> | 2020-06-01 19:26:26 -0700 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2020-06-08 18:53:00 -0700 |
commit | 12a75cb9c44dc0f25a5d921512d621c574061de4 (patch) | |
tree | dc374b9902853cb4c1577b285ecc93c1e637dd6c | |
parent | 7334530c9a04a3760d869b59f24132c88b23a927 (diff) | |
download | sunfish-sepolicy-12a75cb9c44dc0f25a5d921512d621c574061de4.tar.gz |
Resume-on-Reboot: Citadel implementation
This is an implementation of the RebootEscrow HAL for Citadel. It
escrows a key-encryption-key for the synthetic password during an OTA.
Bug: 157857322
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ResumeOnRebootHostTest
Change-Id: I91ef721209e9124dd62bea81be1af2aec44fa2ec
-rw-r--r-- | vendor/google/file.te | 1 | ||||
-rw-r--r-- | vendor/google/file_contexts | 3 | ||||
-rw-r--r-- | vendor/google/hal_rebootescrow_citadel.te | 15 |
3 files changed, 18 insertions, 1 deletions
diff --git a/vendor/google/file.te b/vendor/google/file.te index 20982b0..fd2bd46 100644 --- a/vendor/google/file.te +++ b/vendor/google/file.te @@ -31,6 +31,7 @@ type debugfs_clk, debugfs_type, fs_type; type debugfs_pmic, debugfs_type, fs_type; type sysfs_contaminant, sysfs_type, fs_type; type hal_neuralnetworks_darwinn_hal_camera_data_file, file_type, data_file_type; +type hal_rebootescrow_citadel_data_file, file_type, data_file_type; type sysfs_knowles_info, fs_type, sysfs_type; type sysfs_fingerprint, sysfs_type, fs_type; type per_boot_file, file_type, data_file_type, core_data_file_type; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 9dec45d..df7bfa6 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -1,6 +1,5 @@ # dev nodes /dev/abc-pcie-tpu_0 u:object_r:abc_tpu_device:s0 -/dev/access-kregistry u:object_r:rebootescrow_device:s0 /dev/access-metadata u:object_r:ramoops_device:s0 /dev/access-ramoops u:object_r:ramoops_device:s0 /dev/block/zram0 u:object_r:swap_block_device:s0 @@ -25,6 +24,7 @@ /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.0-service-paintbox u:object_r:hal_neuralnetworks_paintbox_exec:s0 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0 +/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.2-service\.sunfish u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.vibrator@1\.3-service\.sunfish u:object_r:hal_vibrator_default_exec:s0 /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 @@ -64,6 +64,7 @@ /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0 /data/vendor/hal_neuralnetworks_darwinn/hal_camera(/.*)? u:object_r:hal_neuralnetworks_darwinn_hal_camera_data_file:s0 +/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 # dev socket node diff --git a/vendor/google/hal_rebootescrow_citadel.te b/vendor/google/hal_rebootescrow_citadel.te new file mode 100644 index 0000000..c85ce20 --- /dev/null +++ b/vendor/google/hal_rebootescrow_citadel.te @@ -0,0 +1,15 @@ +type hal_rebootescrow_citadel, domain; +type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow) + +vndbinder_use(hal_rebootescrow_citadel) +binder_call(hal_rebootescrow_citadel, citadeld) +allow hal_rebootescrow_citadel citadeld_service:service_manager find; + +hal_client_domain(hal_rebootescrow_citadel, hal_keymaster) + +init_daemon_domain(hal_rebootescrow_citadel) + +allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms; +allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms; |