Fix hal_keymint_citadel service access

10-20 10:24:31.155 432 432 E SELinux : avc: denied { find } for pid=481 uid=1064 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_keymint_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1 Bug: 202907039 Test: boot to home with no keymint errors Change-Id: I7935fe52a9774f8fca67336be9c9d47fe2675756
2021-10-20 10:26:18 +08:00 · 2021-10-20 10:26:18 +08:00 · 4c20c40f50
commit 4c20c40f50
parent e9d02e08f5
3 changed files with 6 additions and 2 deletions
--- a/dauntless/hal_keymint_citadel.te
+++ b/dauntless/hal_keymint_citadel.te
@ -2,3 +2,7 @@ type hal_keymint_citadel, domain;
 type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(hal_keymint_citadel)
+
+hal_server_domain(hal_keymint_citadel, hal_keymint)
+
+allow hal_keymint_citadel citadeld_service:service_manager find;
--- a/dauntless/service_contexts
+++ b/dauntless/service_contexts
@ -0,0 +1,2 @@
+android.hardware.security.keymint.IKeyMintDevice/strongbox      u:object_r:hal_keymint_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/strongbox  u:object_r:hal_sharedsecret_service:s0
--- a/tracking_denials/hal_keymint_citadel.te
+++ b/tracking_denials/hal_keymint_citadel.te
@ -1,2 +0,0 @@
-# b/202907039
-dontaudit hal_keymint_citadel default_android_vndservice:service_manager { find };