Google Git
Sign in
android / platform / hardware / google / pixel-sepolicy / 0e2832e88dd6e3a841a810b3094fe60cdcd3c289^1..0e2832e88dd6e3a841a810b3094fe60cdcd3c289 / .
commit0e2832e88dd6e3a841a810b3094fe60cdcd3c289[log] [tgz]
authorKenny Root <kroot@google.com>Thu Aug 06 20:27:18 2020 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Thu Aug 06 20:27:18 2020 +0000
tree01102327f49e3d2b7372f74a6651da56b6a61400
parenta5d2cfb012f5dc36d2ed9bb096150cd65794ea44 [diff]
parent5473f21e7529b8c3bc6970d24c80b4395a7ed282 [diff]
Citadel: move rules to common directory am: cf569344b8 am: c2c0a7d725 am: 7cc65513f2 am: 5473f21e75

Original change: https://android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/1392311

Change-Id: I621f3f4d7f01f18c1f73962dadabbf374ef3e0f0

diff --git a/citadel/README.md b/citadel/README.md
new file mode 100644
index 0000000..40b330b
--- /dev/null
+++ b/citadel/README.md

@@ -0,0 +1,7 @@
+### Citadel SELinux rules
+
+This directory contains all the SELinux rules for communication with the
+apps on Citadel. For more information on Citadel, see
+[go/nugget-os](https://goto.google.com/nugget-os) or the
+[`external/nos`](../../../../external/nos) and
+[`vendor/google_nos`](../../../../vendor/google_nos) directories.

diff --git a/citadel/citadel_provision.te b/citadel/citadel_provision.te
new file mode 100644
index 0000000..5605085
--- /dev/null
+++ b/citadel/citadel_provision.te

@@ -0,0 +1,6 @@
+type citadel_provision, domain;
+type citadel_provision_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+  init_daemon_domain(citadel_provision)
+')

diff --git a/citadel/citadeld.te b/citadel/citadeld.te
new file mode 100644
index 0000000..a1b7a6d
--- /dev/null
+++ b/citadel/citadeld.te

@@ -0,0 +1,17 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(citadeld)
+add_service(citadeld, citadeld_service)
+
+allow citadeld citadel_device:chr_file rw_file_perms;
+
+init_daemon_domain(citadeld)
+
+binder_call(citadeld, hal_power_stats_default)
+
+# Let citadeld find and use statsd.
+hwbinder_use(citadeld)
+get_prop(citadeld, hwservicemanager_prop)
+allow citadeld fwk_stats_hwservice:hwservice_manager find;
+binder_call(citadeld, stats_service_server)

diff --git a/citadel/device.te b/citadel/device.te
new file mode 100644
index 0000000..f63186f
--- /dev/null
+++ b/citadel/device.te

@@ -0,0 +1 @@
+type citadel_device, dev_type;

diff --git a/citadel/file.te b/citadel/file.te
new file mode 100644
index 0000000..951393e
--- /dev/null
+++ b/citadel/file.te

@@ -0,0 +1 @@
+type hal_rebootescrow_citadel_data_file, file_type, data_file_type;

diff --git a/citadel/file_contexts b/citadel/file_contexts
new file mode 100644
index 0000000..d749e46
--- /dev/null
+++ b/citadel/file_contexts

@@ -0,0 +1,10 @@
+/data/vendor/rebootescrow(/.*)?                                    u:object_r:hal_rebootescrow_citadel_data_file:s0
+/dev/citadel0                                                      u:object_r:citadel_device:s0
+/vendor/bin/CitadelProvision                                       u:object_r:citadel_provision_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel  u:object_r:hal_keymaster_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel    u:object_r:hal_rebootescrow_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel     u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/citadel_updater                                     u:object_r:citadel_updater_exec:s0
+/vendor/bin/hw/citadeld                                            u:object_r:citadeld_exec:s0
+/vendor/bin/hw/init_citadel                                        u:object_r:init_citadel_exec:s0
+/vendor/bin/hw/wait_for_strongbox                                  u:object_r:wait_for_strongbox_exec:s0

diff --git a/citadel/hal_keymaster_citadel.te b/citadel/hal_keymaster_citadel.te
new file mode 100644
index 0000000..dd0a735
--- /dev/null
+++ b/citadel/hal_keymaster_citadel.te

@@ -0,0 +1,11 @@
+type hal_keymaster_citadel, domain;
+type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_keymaster_citadel)
+binder_call(hal_keymaster_citadel, citadeld)
+allow hal_keymaster_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_keymaster_citadel, hal_keymaster)
+init_daemon_domain(hal_keymaster_citadel)
+
+get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop)

diff --git a/citadel/hal_rebootescrow_citadel.te b/citadel/hal_rebootescrow_citadel.te
new file mode 100644
index 0000000..c85ce20
--- /dev/null
+++ b/citadel/hal_rebootescrow_citadel.te

@@ -0,0 +1,15 @@
+type hal_rebootescrow_citadel, domain;
+type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow)
+
+vndbinder_use(hal_rebootescrow_citadel)
+binder_call(hal_rebootescrow_citadel, citadeld)
+allow hal_rebootescrow_citadel citadeld_service:service_manager find;
+
+hal_client_domain(hal_rebootescrow_citadel, hal_keymaster)
+
+init_daemon_domain(hal_rebootescrow_citadel)
+
+allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms;
+allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms;

diff --git a/citadel/hal_weaver_citadel.te b/citadel/hal_weaver_citadel.te
new file mode 100644
index 0000000..aa16960
--- /dev/null
+++ b/citadel/hal_weaver_citadel.te

@@ -0,0 +1,11 @@
+type hal_weaver_citadel, domain;
+type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_weaver_citadel)
+binder_call(hal_weaver_citadel, citadeld)
+allow hal_weaver_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_weaver_citadel, hal_weaver)
+hal_server_domain(hal_weaver_citadel, hal_oemlock)
+hal_server_domain(hal_weaver_citadel, hal_authsecret)
+init_daemon_domain(hal_weaver_citadel)

diff --git a/citadel/init_citadel.te b/citadel/init_citadel.te
new file mode 100644
index 0000000..1459ef4
--- /dev/null
+++ b/citadel/init_citadel.te

@@ -0,0 +1,17 @@
+type init_citadel, domain;
+type init_citadel_exec, exec_type, vendor_file_type, file_type;
+type citadel_updater_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_citadel)
+
+# Citadel communication must be via citadeld
+vndbinder_use(init_citadel)
+binder_call(init_citadel, citadeld)
+allow init_citadel citadeld_service:service_manager find;
+
+# Many standard utils are actually vendor_toolbox (like xxd)
+allow init_citadel vendor_toolbox_exec:file rx_file_perms;
+
+# init_citadel needs to invoke citadel_updater
+allow init_citadel citadel_updater_exec:file rx_file_perms;
+allow init_citadel citadel_device:chr_file rw_file_perms;

diff --git a/citadel/recovery.te b/citadel/recovery.te
new file mode 100644
index 0000000..c68244f
--- /dev/null
+++ b/citadel/recovery.te

@@ -0,0 +1,3 @@
+recovery_only(`
+  allow recovery citadel_device:chr_file rw_file_perms;
+')

diff --git a/citadel/vndservice.te b/citadel/vndservice.te
new file mode 100644
index 0000000..880c09c
--- /dev/null
+++ b/citadel/vndservice.te

@@ -0,0 +1 @@
+type citadeld_service, vndservice_manager_type;

diff --git a/citadel/vndservice_contexts b/citadel/vndservice_contexts
new file mode 100644
index 0000000..b4df996
--- /dev/null
+++ b/citadel/vndservice_contexts

@@ -0,0 +1 @@
+android.hardware.citadel.ICitadeld  u:object_r:citadeld_service:s0

diff --git a/citadel/wait_for_strongbox.te b/citadel/wait_for_strongbox.te
new file mode 100644
index 0000000..960d063
--- /dev/null
+++ b/citadel/wait_for_strongbox.te

@@ -0,0 +1,9 @@
+# wait_for_strongbox service
+type wait_for_strongbox, domain;
+type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(wait_for_strongbox)
+
+hal_client_domain(wait_for_strongbox, hal_keymaster)
+
+allow wait_for_strongbox kmsg_device:chr_file w_file_perms;