From abfb0bafa5d2c1b28fb0f102f8714fb52b90ff1b Mon Sep 17 00:00:00 2001 From: ChengYou Ho Date: Thu, 15 Sep 2022 16:13:00 +0000 Subject: [PATCH 1/2] gsc.mk: install oemlock aidl service Bug: 240932137 Test: VtsHalOemLockTargetTest Change-Id: Ib46ddafc41f64858e4db099978b6ba89bfa119b9 --- dauntless/gsc.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk index 6770acb..fc0278d 100644 --- a/dauntless/gsc.mk +++ b/dauntless/gsc.mk @@ -7,6 +7,7 @@ PRODUCT_PACKAGES += \ citadel_updater \ android.hardware.weaver@1.0-service.citadel \ android.hardware.authsecret-service.citadel \ + android.hardware.oemlock-service.citadel \ android.hardware.identity@1.0-service.citadel \ init_citadel \ android.hardware.strongbox_keystore.xml \ From 141c01ba0c4904b0f8353cb4a85e828c0f3c4774 Mon Sep 17 00:00:00 2001 From: ChengYou Ho Date: Thu, 15 Sep 2022 16:16:08 +0000 Subject: [PATCH 2/2] Add oemlock aidl service sepolicy 1. avc: denied { find } for pid=889 uid=1064 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1 2. avc: denied { read } for name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 3. avc: denied { write } for name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 4. avc: denied { open } for path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 5. avc: denied { ioctl } for path="/dev/binderfs/vndbinder" dev="binder" ino=6 ioctlcmd=0x6209 scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 6. avc: denied { call } for scontext=u:r:hal_oemlock_citadel:s0 tcontext=u:r:vndservicemanager:s0 tclass=binder permissive=1 Bug: 240932137 Change-Id: I804d925e020f6adfe8cd0c34aedead366c99adc0 --- dauntless/sepolicy/file_contexts | 1 + dauntless/sepolicy/hal_oemlock_citadel.te | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 dauntless/sepolicy/hal_oemlock_citadel.te diff --git a/dauntless/sepolicy/file_contexts b/dauntless/sepolicy/file_contexts index a1d382b..b8a54d2 100644 --- a/dauntless/sepolicy/file_contexts +++ b/dauntless/sepolicy/file_contexts @@ -5,6 +5,7 @@ /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.authsecret-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.oemlock-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 /vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 /vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 diff --git a/dauntless/sepolicy/hal_oemlock_citadel.te b/dauntless/sepolicy/hal_oemlock_citadel.te new file mode 100644 index 0000000..d3ff719 --- /dev/null +++ b/dauntless/sepolicy/hal_oemlock_citadel.te @@ -0,0 +1,9 @@ +type hal_oemlock_citadel, domain; +type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_oemlock_citadel) +binder_call(hal_oemlock_citadel, citadeld) +allow hal_oemlock_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_oemlock_citadel, hal_oemlock) +init_daemon_domain(hal_oemlock_citadel)