Skip to content
Snippets Groups Projects
Commit 139d422d authored by Alex Klyubin's avatar Alex Klyubin Committed by android-build-merger
Browse files

Merge "Switch Keymaster HAL policy to _client/_server" am: 38dc1e22 am: 6cb56cc4 

am: 2b5c1d91

Change-Id: Ic376f6d05c99e41de124463af6ebf2af2114fb0f
parents dde36a61 2b5c1d91
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
public/attributes
+ 2
0
View file @ 139d422d
......@@ -150,6 +150,8 @@ attribute hal_graphics_composer;
attribute hal_health;
attribute hal_ir;
attribute hal_keymaster;
attribute hal_keymaster_client;
attribute hal_keymaster_server;
attribute hal_light;
attribute hal_memtrack;
attribute hal_nfc;
......
public/hal_keymaster.te
+ 2
2
View file @ 139d422d
# hwbinder access
hwbinder_use(hal_keymaster)
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster tee:unix_stream_socket connectto;
......
public/keystore.te
+ 1
6
View file @ 139d422d
......@@ -8,14 +8,11 @@ binder_service(keystore)
binder_call(keystore, system_server)
# talk to keymaster
binder_call(keystore, hwservicemanager)
binder_call(keystore, hal_keymaster)
hal_client_domain(keystore, hal_keymaster)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file rw_file_perms;
allow keystore tee:unix_stream_socket connectto;
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
......@@ -23,9 +20,7 @@ allow keystore sec_key_att_app_id_provider_service:service_manager find;
# Check SELinux permissions.
selinux_check_access(keystore)
allow keystore ion_device:chr_file r_file_perms;
r_dir_file(keystore, cgroup)
allow keystore system_file:dir r_dir_perms;
###
### Neverallow rules
......
public/vold.te
+ 1
6
View file @ 139d422d
......@@ -27,7 +27,6 @@ allow vold shell_exec:file rx_file_perms;
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:dir r_dir_perms;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
......@@ -87,8 +86,6 @@ allow vold fsck_exec:file { r_file_perms execute };
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
allow vold ion_device:chr_file r_file_perms;
#
# Rules to support encrypted fs support.
#
......@@ -131,9 +128,7 @@ binder_use(vold)
binder_call(vold, healthd)
# talk to keymaster
binder_call(vold, hwservicemanager)
binder_call(vold, hal_keymaster)
allow vold tee_device:chr_file rw_file_perms;
hal_client_domain(vold, hal_keymaster)
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
......
vendor/hal_keymaster_default.te
+ 1
1
View file @ 139d422d
type hal_keymaster_default, domain;
hal_impl_domain(hal_keymaster_default, hal_keymaster)
hal_server_domain(hal_keymaster_default, hal_keymaster)
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment