diff options
author | ChihYao Chien <ccchien@google.com> | 2021-02-04 17:08:22 +0800 |
---|---|---|
committer | ChihYao Chien <ccchien@google.com> | 2021-05-21 06:50:41 +0000 |
commit | 71e21da3854ac97a21aa3b14957d560a66662d46 (patch) | |
tree | f618ed5b5a8bc488c89b30620e426c34b2fb3359 /vendor | |
parent | 5101245f08ca608a162b1b71735c18ce2fe28b2c (diff) | |
download | sunfish-sepolicy-71e21da3854ac97a21aa3b14957d560a66662d46.tar.gz |
Sync sepolicy from qcom-au091 for keymaster daemon
init: Could not start service 'keymaster-4-1' as part of class 'early_hal':
File /vendor/bin/hw/android.hardware.keymaster@4.1-service-qti(labeled "u:object_r:vendor_file:s0")
has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined.
reference to qcom/lito/platform/vendor/qcom/sepolicy_vndr:fefbf6b185221bb37b24ae8eea74862a97389650
cherry-pick from 6903a0fa10f95bec2d05608a20b2d6164177846d
Bug: 185598142
Bug: 178358917
Change-Id: I77c6a6cda6b2772d4ff81a3bb6a0fc819cc47f49
Diffstat (limited to 'vendor')
-rw-r--r-- | vendor/qcom/common/file_contexts | 2 | ||||
-rw-r--r-- | vendor/qcom/common/init-qti-keymaster-sh.te | 38 | ||||
-rw-r--r-- | vendor/qcom/common/property.te | 2 | ||||
-rw-r--r-- | vendor/qcom/common/property_contexts | 3 |
4 files changed, 45 insertions, 0 deletions
diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 816596d..0e99310 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -67,6 +67,8 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/init\.qti\.keymaster\.sh u:object_r:init-qti-keymaster-sh_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 /(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0 diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te new file mode 100644 index 0000000..bb974c2 --- /dev/null +++ b/vendor/qcom/common/init-qti-keymaster-sh.te @@ -0,0 +1,38 @@ +# Copyright (c) 2020, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qti-keymaster-sh, domain; +type init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qti-keymaster-sh) + +# Set vendor.keymaster.strongbox.version to 40 or 41 +set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop); +set_prop(init-qti-keymaster-sh, vendor_disable_spu_prop) + +allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms; +allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index 5f08525..fb6f433 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -60,4 +60,6 @@ vendor_internal_prop(ctl_vendor_rmt_storage_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_cnss_diag_prop) vendor_internal_prop(vendor_modem_diag_prop) +vendor_internal_prop(vendor_disable_spu_prop) vendor_restricted_prop(vendor_hvdcp_opti_prop) +vendor_restricted_prop(vendor_km_strongbox_version_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 9ce9ac9..eebfb81 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -86,3 +86,6 @@ persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.perf_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 + +#keymaster strongbox service +vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0 |