From f7543d27b8371107ed69d9a1900c21954a77b6a4 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Wed, 22 Feb 2017 19:48:17 -0800
Subject: [PATCH] Switch Keymaster HAL policy to _client/_server

This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.

Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.

Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.

Test: Password-protected sailfish boots up and lock screen unlocks --
      this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
      Keymaster HAL interaction:
      make cts cts-tradefed
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsKeystoreTestCases
Bug: 34170079

Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7
---
 public/attributes               | 2 ++
 public/hal_keymaster.te         | 4 ++--
 public/keystore.te              | 7 +------
 public/vold.te                  | 7 +------
 vendor/hal_keymaster_default.te | 2 +-
 5 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/public/attributes b/public/attributes
index d418375ce..55f87ca68 100644
--- a/public/attributes
+++ b/public/attributes
@@ -150,6 +150,8 @@ attribute hal_graphics_composer;
 attribute hal_health;
 attribute hal_ir;
 attribute hal_keymaster;
+attribute hal_keymaster_client;
+attribute hal_keymaster_server;
 attribute hal_light;
 attribute hal_memtrack;
 attribute hal_nfc;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index a3aef59ae..d50812c39 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,5 @@
-# hwbinder access
-hwbinder_use(hal_keymaster)
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster tee:unix_stream_socket connectto;
diff --git a/public/keystore.te b/public/keystore.te
index ec6d1926f..55cafc541 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -8,14 +8,11 @@ binder_service(keystore)
 binder_call(keystore, system_server)
 
 # talk to keymaster
-binder_call(keystore, hwservicemanager)
-binder_call(keystore, hal_keymaster)
+hal_client_domain(keystore, hal_keymaster)
 
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
 
 add_service(keystore, keystore_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
@@ -23,9 +20,7 @@ allow keystore sec_key_att_app_id_provider_service:service_manager find;
 # Check SELinux permissions.
 selinux_check_access(keystore)
 
-allow keystore ion_device:chr_file r_file_perms;
 r_dir_file(keystore, cgroup)
-allow keystore system_file:dir r_dir_perms;
 
 ###
 ### Neverallow rules
diff --git a/public/vold.te b/public/vold.te
index 0e4eddc70..cda6424bc 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -27,7 +27,6 @@ allow vold shell_exec:file rx_file_perms;
 
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
-allow vold system_file:dir r_dir_perms;
 allow vold system_file:file x_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
@@ -87,8 +86,6 @@ allow vold fsck_exec:file { r_file_perms execute };
 allow vold fscklogs:dir rw_dir_perms;
 allow vold fscklogs:file create_file_perms;
 
-allow vold ion_device:chr_file r_file_perms;
-
 #
 # Rules to support encrypted fs support.
 #
@@ -131,9 +128,7 @@ binder_use(vold)
 binder_call(vold, healthd)
 
 # talk to keymaster
-binder_call(vold, hwservicemanager)
-binder_call(vold, hal_keymaster)
-allow vold tee_device:chr_file rw_file_perms;
+hal_client_domain(vold, hal_keymaster)
 
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 4c6d0d292..32df262ab 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
 type hal_keymaster_default, domain;
-hal_impl_domain(hal_keymaster_default, hal_keymaster)
+hal_server_domain(hal_keymaster_default, hal_keymaster)
 
 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)
-- 
GitLab