From 4c20c40f50e57366c2aade9d34e8ca05c36e9a7b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 20 Oct 2021 10:26:18 +0800 Subject: [PATCH] Fix hal_keymint_citadel service access 10-20 10:24:31.155 432 432 E SELinux : avc: denied { find } for pid=481 uid=1064 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_keymint_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1 Bug: 202907039 Test: boot to home with no keymint errors Change-Id: I7935fe52a9774f8fca67336be9c9d47fe2675756 --- dauntless/hal_keymint_citadel.te | 4 ++++ dauntless/service_contexts | 2 ++ tracking_denials/hal_keymint_citadel.te | 2 -- 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 dauntless/service_contexts delete mode 100644 tracking_denials/hal_keymint_citadel.te diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te index 04680edf..29f528f1 100644 --- a/dauntless/hal_keymint_citadel.te +++ b/dauntless/hal_keymint_citadel.te @@ -2,3 +2,7 @@ type hal_keymint_citadel, domain; type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_keymint_citadel) + +hal_server_domain(hal_keymint_citadel, hal_keymint) + +allow hal_keymint_citadel citadeld_service:service_manager find; diff --git a/dauntless/service_contexts b/dauntless/service_contexts new file mode 100644 index 00000000..5639b588 --- /dev/null +++ b/dauntless/service_contexts @@ -0,0 +1,2 @@ +android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 +android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 diff --git a/tracking_denials/hal_keymint_citadel.te b/tracking_denials/hal_keymint_citadel.te deleted file mode 100644 index d9000fe0..00000000 --- a/tracking_denials/hal_keymint_citadel.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/202907039 -dontaudit hal_keymint_citadel default_android_vndservice:service_manager { find };