Citadel: move rules to common directory
Move all the common Citadel rules to a directory where they can all be
changed simultaneously and avoid accidental version skew between the
devices.
Test: build affected devices locally
Bug: 143330574
Change-Id: I238f5211ccb606af13fb429134d76eae847a7d8e
diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk
index b4da01c..4d1a0e2 100644
--- a/coral-sepolicy.mk
+++ b/coral-sepolicy.mk
@@ -8,3 +8,6 @@
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/verizon
+
+# Pixel-wide
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
diff --git a/vendor/google/citadel_provision.te b/vendor/google/citadel_provision.te
index d178a79..803195d 100644
--- a/vendor/google/citadel_provision.te
+++ b/vendor/google/citadel_provision.te
@@ -1,31 +1,25 @@
-type citadel_provision, domain;
-type citadel_provision_exec, exec_type, vendor_file_type, file_type;
-
# Extra permissions for userdebug that allow lazy-provisioning of
# keymaster preshared-keys, used for faceauth authtoken enforcement.
# (i.e. for EVT devices that leave factory unprovisioned).
userdebug_or_eng(`
+ vndbinder_use(citadel_provision)
+ binder_call(citadel_provision, citadeld)
+ allow citadel_provision citadeld_service:service_manager find;
+ hwbinder_use(citadel_provision)
+ get_prop(citadel_provision, hwservicemanager_prop)
+ allow citadel_provision hidl_manager_hwservice:hwservice_manager find;
-init_daemon_domain(citadel_provision)
+ allow citadel_provision vndbinder_device:chr_file ioctl;
+ allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl;
+ allow citadel_provision ion_device:chr_file r_file_perms;
+ allow citadel_provision tee_device:chr_file rw_file_perms;
+ get_prop(citadel_provision, vendor_tee_listener_prop);
-vndbinder_use(citadel_provision)
-binder_call(citadel_provision, citadeld)
-allow citadel_provision citadeld_service:service_manager find;
-hwbinder_use(citadel_provision)
-get_prop(citadel_provision, hwservicemanager_prop)
-allow citadel_provision hidl_manager_hwservice:hwservice_manager find;
-
-allow citadel_provision vndbinder_device:chr_file ioctl;
-allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl;
-allow citadel_provision ion_device:chr_file r_file_perms;
-allow citadel_provision tee_device:chr_file rw_file_perms;
-get_prop(citadel_provision, vendor_tee_listener_prop);
-
-dontaudit citadel_provision sysfs_esoc:dir r_dir_perms;
-dontaudit citadel_provision sysfs_esoc:file r_file_perms;
-dontaudit citadel_provision sysfs_msm_subsys:dir r_dir_perms;
-dontaudit citadel_provision sysfs_ssr:file r_file_perms;
-dontaudit citadel_provision sysfs:file r_file_perms;
-dontaudit citadel_provision sysfs_faceauth:dir r_dir_perms;
-dontaudit citadel_provision sysfs_faceauth:file r_file_perms;
+ dontaudit citadel_provision sysfs_esoc:dir r_dir_perms;
+ dontaudit citadel_provision sysfs_esoc:file r_file_perms;
+ dontaudit citadel_provision sysfs_msm_subsys:dir r_dir_perms;
+ dontaudit citadel_provision sysfs_ssr:file r_file_perms;
+ dontaudit citadel_provision sysfs:file r_file_perms;
+ dontaudit citadel_provision sysfs_faceauth:dir r_dir_perms;
+ dontaudit citadel_provision sysfs_faceauth:file r_file_perms;
')
diff --git a/vendor/google/citadeld.te b/vendor/google/citadeld.te
index 7f6a31f..dc18d24 100644
--- a/vendor/google/citadeld.te
+++ b/vendor/google/citadeld.te
@@ -1,20 +1,2 @@
-type citadeld, domain;
-type citadeld_exec, exec_type, vendor_file_type, file_type;
-
-vndbinder_use(citadeld)
-add_service(citadeld, citadeld_service)
-
-allow citadeld citadel_device:chr_file rw_file_perms;
-
-allow citadeld hal_power_stats_default:binder { call transfer };
allow citadeld power_stats_service:service_manager find;
-
allow citadeld debugfs_ipc:dir search;
-
-# Let citadeld find and use statsd.
-hwbinder_use(citadeld)
-get_prop(citadeld, hwservicemanager_prop)
-allow citadeld fwk_stats_hwservice:hwservice_manager find;
-binder_call(citadeld, stats_service_server)
-
-init_daemon_domain(citadeld)
diff --git a/vendor/google/device.te b/vendor/google/device.te
index 08e8154..03af45f 100644
--- a/vendor/google/device.te
+++ b/vendor/google/device.te
@@ -1,7 +1,6 @@
type abc_tpu_device, dev_type;
type airbrush_device, dev_type, mlstrustedobject;
type airbrush_sm_device, dev_type, mlstrustedobject;
-type citadel_device, dev_type;
type faceauth_device, dev_type;
type ipu_device, dev_type, mlstrustedobject;
type touch_offload_device, dev_type;
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index 4fd4689..c6de807 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -6,7 +6,6 @@
/dev/access-metadata u:object_r:ramoops_device:s0
/dev/access-ramoops u:object_r:ramoops_device:s0
/dev/block/zram0 u:object_r:swap_block_device:s0
-/dev/citadel0 u:object_r:citadel_device:s0
/dev/faceauth u:object_r:faceauth_device:s0
/dev/ipu u:object_r:ipu_device:s0
/dev/maxfg_history u:object_r:maxfg_device:s0
@@ -32,22 +31,13 @@
/vendor/bin/hw/android\.hardware\.biometrics\.face@1\.0-service\.google u:object_r:hal_face_default_exec:s0
/vendor/bin/hw/android\.hardware\.camera\.provider@2\.6-service-google u:object_r:hal_camera_default_exec:s0
/vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0
-/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
-/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0
/vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0
-/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0
/vendor/bin/hw/android\.hardware\.usb@1\.2-service\.coral u:object_r:hal_usb_impl_exec:s0
-/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
-/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
-/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
-/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
-/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0
/vendor/bin/hw/hardware\.google\.light@1\.1-service u:object_r:hal_light_default_exec:s0
/vendor/bin/hw/vendor\.google\.airbrush@1\.0-service u:object_r:airbrush_exec:s0
/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
-/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0
/vendor/bin/color_init u:object_r:color_init_exec:s0
/vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0
/vendor/bin/modem_svc u:object_r:modem_svc_exec:s0
@@ -118,7 +108,6 @@
/data/vendor/hal_neuralnetworks_darwinn/hal_camera(/.*)? u:object_r:hal_neuralnetworks_darwinn_hal_camera_data_file:s0
/data/vendor/camera_calibration(/.*)? u:object_r:camera_calibration_vendor_data_file:s0
/data/vendor/face(/.*)? u:object_r:face_vendor_data_file:s0
-/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0
/data/per_boot(/.*)? u:object_r:per_boot_file:s0
# dev socket node
diff --git a/vendor/google/hal_keymaster_citadel.te b/vendor/google/hal_keymaster_citadel.te
deleted file mode 100644
index dd0a735..0000000
--- a/vendor/google/hal_keymaster_citadel.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type hal_keymaster_citadel, domain;
-type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type;
-
-vndbinder_use(hal_keymaster_citadel)
-binder_call(hal_keymaster_citadel, citadeld)
-allow hal_keymaster_citadel citadeld_service:service_manager find;
-
-hal_server_domain(hal_keymaster_citadel, hal_keymaster)
-init_daemon_domain(hal_keymaster_citadel)
-
-get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop)
diff --git a/vendor/google/hal_rebootescrow_citadel.te b/vendor/google/hal_rebootescrow_citadel.te
deleted file mode 100644
index 4ca8a1e..0000000
--- a/vendor/google/hal_rebootescrow_citadel.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type hal_rebootescrow_citadel, domain;
-type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type;
-type hal_rebootescrow_citadel_data_file, file_type, data_file_type;
-
-hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow)
-
-vndbinder_use(hal_rebootescrow_citadel)
-binder_call(hal_rebootescrow_citadel, citadeld)
-allow hal_rebootescrow_citadel citadeld_service:service_manager find;
-
-hal_client_domain(hal_rebootescrow_citadel, hal_keymaster)
-
-init_daemon_domain(hal_rebootescrow_citadel)
-
-allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms;
-allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms;
-
diff --git a/vendor/google/hal_weaver_citadel.te b/vendor/google/hal_weaver_citadel.te
deleted file mode 100644
index aa16960..0000000
--- a/vendor/google/hal_weaver_citadel.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type hal_weaver_citadel, domain;
-type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
-
-vndbinder_use(hal_weaver_citadel)
-binder_call(hal_weaver_citadel, citadeld)
-allow hal_weaver_citadel citadeld_service:service_manager find;
-
-hal_server_domain(hal_weaver_citadel, hal_weaver)
-hal_server_domain(hal_weaver_citadel, hal_oemlock)
-hal_server_domain(hal_weaver_citadel, hal_authsecret)
-init_daemon_domain(hal_weaver_citadel)
diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te
index 3306804..f08ea1f 100644
--- a/vendor/google/init_citadel.te
+++ b/vendor/google/init_citadel.te
@@ -1,20 +1,3 @@
-type init_citadel, domain;
-type init_citadel_exec, exec_type, vendor_file_type, file_type;
-type citadel_updater_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(init_citadel)
-
-vndbinder_use(init_citadel)
-binder_call(init_citadel, citadeld)
-allow init_citadel citadeld_service:service_manager find;
-
-# Many standard utils are actually vendor_toolbox (like xxd)
-allow init_citadel vendor_toolbox_exec:file rx_file_perms;
-
-# init_citadel needs to invoke citadel_updater
-allow init_citadel citadel_updater_exec:file rx_file_perms;
-allow init_citadel citadel_device:chr_file rw_file_perms;
-
-# We also might need to read the board-id from a sysfs file, if
-# we can't determine it from getprop.
+# init_citadel might need to read the board-id from a sysfs file, if we
+# can't determine it from getprop.
allow init_citadel sysfs_msm_boardid:file r_file_perms;
diff --git a/vendor/google/recovery.te b/vendor/google/recovery.te
index 7e7925c..39cb557 100644
--- a/vendor/google/recovery.te
+++ b/vendor/google/recovery.te
@@ -1,5 +1,4 @@
recovery_only(`
- allow recovery citadel_device:chr_file rw_file_perms;
allow recovery sg_device:chr_file rw_file_perms;
allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
')
diff --git a/vendor/google/vndservice.te b/vendor/google/vndservice.te
index 8047846..33ce7dd 100644
--- a/vendor/google/vndservice.te
+++ b/vendor/google/vndservice.te
@@ -1,4 +1,3 @@
-type citadeld_service, vndservice_manager_type;
type rls_service, vndservice_manager_type;
type power_stats_service, vndservice_manager_type;
type airbrush_faceauth_service, vndservice_manager_type;
diff --git a/vendor/google/vndservice_contexts b/vendor/google/vndservice_contexts
index f0744bd..c59c217 100644
--- a/vendor/google/vndservice_contexts
+++ b/vendor/google/vndservice_contexts
@@ -1,4 +1,3 @@
-android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0
rlsservice u:object_r:rls_service:s0
airbrush_faceauth u:object_r:airbrush_faceauth_service:s0
airbrush_tpu u:object_r:airbrush_tpu_service:s0
diff --git a/vendor/google/wait_for_strongbox.te b/vendor/google/wait_for_strongbox.te
deleted file mode 100644
index c9586c8..0000000
--- a/vendor/google/wait_for_strongbox.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# wait_for_strongbox service
-type wait_for_strongbox, domain;
-type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(wait_for_strongbox)
-
-hal_client_domain(wait_for_strongbox, hal_keymaster)
-
-allow wait_for_strongbox kmsg_device:chr_file w_file_perms;
\ No newline at end of file
