Merge "Switch Keymaster HAL policy to _client/_server"

am: 38dc1e22 Change-Id: If47397bdc5dc7e488b6e6e1dcac059a6e6389f29

Merge "Switch Keymaster HAL policy to _client/_server"
am: 38dc1e22 Change-Id: If47397bdc5dc7e488b6e6e1dcac059a6e6389f29
6cb56cc4 · Alex Klyubin · android-build-merger · 4afe2e28 · 38dc1e22 · 6cb56cc4
Commit 6cb56cc4 authored 8 years ago by Alex Klyubin Committed by android-build-merger 8 years ago
--- a/public/attributes
+++ b/public/attributes
@@ -150,6 +150,8 @@ attribute hal_graphics_composer;
 attribute hal_health;
 attribute hal_ir;
 attribute hal_keymaster;
+attribute hal_keymaster_client;
+attribute hal_keymaster_server;
 attribute hal_light;
 attribute hal_memtrack;
 attribute hal_nfc;

--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
-# hwbinder access
+# HwBinder IPC from client to server
-hwbinder_use(hal_keymaster)
+binder_call(hal_keymaster_client, hal_keymaster_server)
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster tee:unix_stream_socket connectto;

--- a/public/keystore.te
+++ b/public/keystore.te
@@ -8,14 +8,11 @@ binder_service(keystore)
 binder_call(keystore, system_server)
 # talk to keymaster
-binder_call(keystore, hwservicemanager)
+hal_client_domain(keystore, hal_keymaster)
-binder_call(keystore, hal_keymaster)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
 add_service(keystore, keystore_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
@@ -23,9 +20,7 @@ allow keystore sec_key_att_app_id_provider_service:service_manager find;
 # Check SELinux permissions.
 selinux_check_access(keystore)
-allow keystore ion_device:chr_file r_file_perms;
 r_dir_file(keystore, cgroup)
-allow keystore system_file:dir r_dir_perms;
 ###
 ### Neverallow rules

--- a/public/vold.te
+++ b/public/vold.te
@@ -27,7 +27,6 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
-allow vold system_file:dir r_dir_perms;
 allow vold system_file:file x_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
@@ -87,8 +86,6 @@ allow vold fsck_exec:file { r_file_perms execute };
 allow vold fscklogs:dir rw_dir_perms;
 allow vold fscklogs:file create_file_perms;
-allow vold ion_device:chr_file r_file_perms;
 #
 # Rules to support encrypted fs support.
 #
@@ -131,9 +128,7 @@ binder_use(vold)
 binder_call(vold, healthd)
 # talk to keymaster
-binder_call(vold, hwservicemanager)
+hal_client_domain(vold, hal_keymaster)
-binder_call(vold, hal_keymaster)
-allow vold tee_device:chr_file rw_file_perms;
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;

--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
 type hal_keymaster_default, domain;
-hal_impl_domain(hal_keymaster_default, hal_keymaster)
+hal_server_domain(hal_keymaster_default, hal_keymaster)
 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)