Preliminary policy for hal_keymaster (TREBLE)

This adds the premissions required for android.hardware.keymaster@2.0-service to access the keymaster TA as well as for keystore and vold to lookup and use android.hardware.keymaster@2.0-service. IT DOES NOT remove the privileges from keystore and vold to access the keymaster TA directly. Test: Run keystore CTS tests Bug: 32020919 (cherry picked from commit 5090d6f3) Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19

Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for android.hardware.keymaster@2.0-service to access the keymaster TA as well as for keystore and vold to lookup and use android.hardware.keymaster@2.0-service. IT DOES NOT remove the privileges from keystore and vold to access the keymaster TA directly. Test: Run keystore CTS tests Bug: 32020919 (cherry picked from commit 5090d6f3) Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
e8acd769 · Janis Danisevskis · Alex Klyubin · a7653ee2 · e8acd769 · e8acd769
Commit e8acd769 authored 8 years ago by Janis Danisevskis Committed by Alex Klyubin 8 years ago
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -253,6 +253,7 @@
 /system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service    u:object_r:hal_graphics_composer_default_exec:s0
 /system/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_default_exec:s0
 /system/bin/hw/android\.hardware\.ir@1\.0-service             u:object_r:hal_ir_default_exec:s0
+/system/bin/hw/android\.hardware\.keymaster@3\.0-service      u:object_r:hal_keymaster_default_exec:s0
 /system/bin/hw/android\.hardware\.light@2\.0-service          u:object_r:hal_light_default_exec:s0
 /system/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
 /system/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0

--- a/private/hal_keymaster.te
+++ b/private/hal_keymaster.te
+type hal_keymaster_default, domain;
+hal_impl_domain(hal_keymaster_default, hal_keymaster)
+
+type hal_keymaster_default_exec, exec_type, file_type;
+init_daemon_domain(hal_keymaster_default)
--- a/public/attributes
+++ b/public/attributes
@@ -131,6 +131,7 @@ attribute hal_graphics_allocator;
 attribute hal_graphics_composer;
 attribute hal_health;
 attribute hal_ir;
+attribute hal_keymaster;
 attribute hal_light;
 attribute hal_memtrack;
 attribute hal_nfc;

--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
+# hwbinder access
+hwbinder_use(hal_keymaster)
+
+allow hal_keymaster tee_device:chr_file rw_file_perms;
+allow hal_keymaster tee:unix_stream_socket connectto;
+
+allow hal_keymaster ion_device:chr_file r_file_perms;
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -6,6 +6,11 @@ typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
 binder_call(keystore, system_server)
+
+# talk to keymaster
+binder_call(keystore, hwservicemanager)
+binder_call(keystore, hal_keymaster)
+
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

--- a/public/vold.te
+++ b/public/vold.te
@@ -130,6 +130,8 @@ binder_use(vold)
 binder_call(vold, healthd)

 # talk to keymaster
+binder_call(vold, hwservicemanager)
+binder_call(vold, hal_keymaster)
 allow vold tee_device:chr_file rw_file_perms;

 # Access userdata block device.