Merge "Move bt Compatibility matrix and some packages to gs-common"
diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk
index fd3e3bc..a26644a 100644
--- a/dauntless/gsc.mk
+++ b/dauntless/gsc.mk
@@ -1,2 +1,19 @@
-PRODUCT_PACKAGES += dump_gsc.sh
+# Dauntless
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/dauntless/sepolicy
+PRODUCT_SOONG_NAMESPACES += vendor/google_nos/init/dauntless
+
+PRODUCT_PACKAGES += \
+ citadeld \
+ citadel_updater \
+ android.hardware.weaver@1.0-service.citadel \
+ android.hardware.identity@1.0-service.citadel \
+ init_citadel \
+ android.hardware.strongbox_keystore.xml \
+ android.hardware.security.keymint-service.citadel \
+ dump_gsc.sh
+
+# USERDEBUG ONLY: Install test packages
+PRODUCT_PACKAGES_DEBUG += citadel_integration_tests \
+ pwntest \
+ nugget_targeted_tests \
+ CitadelProvision
diff --git a/dauntless/sepolicy/citadel_provision.te b/dauntless/sepolicy/citadel_provision.te
new file mode 100644
index 0000000..5605085
--- /dev/null
+++ b/dauntless/sepolicy/citadel_provision.te
@@ -0,0 +1,6 @@
+type citadel_provision, domain;
+type citadel_provision_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(citadel_provision)
+')
diff --git a/dauntless/sepolicy/citadeld.te b/dauntless/sepolicy/citadeld.te
new file mode 100644
index 0000000..86cb61c
--- /dev/null
+++ b/dauntless/sepolicy/citadeld.te
@@ -0,0 +1,13 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(citadeld)
+
+add_service(citadeld, citadeld_service)
+binder_use(citadeld)
+vndbinder_use(citadeld)
+binder_call(citadeld, system_server)
+
+allow citadeld citadel_device:chr_file rw_file_perms;
+allow citadeld fwk_stats_service:service_manager find;
+allow citadeld hal_power_stats_vendor_service:service_manager find;
diff --git a/dauntless/sepolicy/device.te b/dauntless/sepolicy/device.te
new file mode 100644
index 0000000..f63186f
--- /dev/null
+++ b/dauntless/sepolicy/device.te
@@ -0,0 +1 @@
+type citadel_device, dev_type;
diff --git a/dauntless/sepolicy/file.te b/dauntless/sepolicy/file.te
new file mode 100644
index 0000000..cfc0dea
--- /dev/null
+++ b/dauntless/sepolicy/file.te
@@ -0,0 +1 @@
+type citadel_updater, vendor_file_type, file_type;
diff --git a/dauntless/sepolicy/file_contexts b/dauntless/sepolicy/file_contexts
index 8a03c79..80ff2ae 100644
--- a/dauntless/sepolicy/file_contexts
+++ b/dauntless/sepolicy/file_contexts
@@ -1 +1,10 @@
-/vendor/bin/dump/dump_gsc\.sh u:object_r:dump_gsc_exec:s0
+/vendor/bin/dump/dump_gsc\.sh u:object_r:dump_gsc_exec:s0
+/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0
+/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
+/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0
+/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
+
+/dev/gsc0 u:object_r:citadel_device:s0
diff --git a/dauntless/sepolicy/hal_identity_citadel.te b/dauntless/sepolicy/hal_identity_citadel.te
new file mode 100644
index 0000000..c181e27
--- /dev/null
+++ b/dauntless/sepolicy/hal_identity_citadel.te
@@ -0,0 +1,11 @@
+type hal_identity_citadel, domain;
+type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_identity_citadel)
+binder_call(hal_identity_citadel, citadeld)
+allow hal_identity_citadel citadeld_service:service_manager find;
+allow hal_identity_citadel hal_keymint_citadel:binder call;
+
+hal_server_domain(hal_identity_citadel, hal_identity)
+hal_server_domain(hal_identity_citadel, hal_keymint)
+init_daemon_domain(hal_identity_citadel)
diff --git a/dauntless/sepolicy/hal_keymint_citadel.te b/dauntless/sepolicy/hal_keymint_citadel.te
new file mode 100644
index 0000000..e1a6177
--- /dev/null
+++ b/dauntless/sepolicy/hal_keymint_citadel.te
@@ -0,0 +1,9 @@
+type hal_keymint_citadel, domain;
+type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_keymint_citadel, hal_keymint)
+init_daemon_domain(hal_keymint_citadel)
+vndbinder_use(hal_keymint_citadel)
+get_prop(hal_keymint_citadel, vendor_security_patch_level_prop)
+allow hal_keymint_citadel citadeld_service:service_manager find;
+binder_call(hal_keymint_citadel, citadeld)
diff --git a/dauntless/sepolicy/hal_weaver_citadel.te b/dauntless/sepolicy/hal_weaver_citadel.te
new file mode 100644
index 0000000..c47287b
--- /dev/null
+++ b/dauntless/sepolicy/hal_weaver_citadel.te
@@ -0,0 +1,11 @@
+type hal_weaver_citadel, domain;
+type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_weaver_citadel)
+hal_server_domain(hal_weaver_citadel, hal_weaver)
+hal_server_domain(hal_weaver_citadel, hal_oemlock)
+hal_server_domain(hal_weaver_citadel, hal_authsecret)
+vndbinder_use(hal_weaver_citadel)
+binder_call(hal_weaver_citadel, citadeld)
+
+allow hal_weaver_citadel citadeld_service:service_manager find;
diff --git a/dauntless/sepolicy/init_citadel.te b/dauntless/sepolicy/init_citadel.te
new file mode 100644
index 0000000..2e986d0
--- /dev/null
+++ b/dauntless/sepolicy/init_citadel.te
@@ -0,0 +1,15 @@
+type init_citadel, domain;
+type init_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_citadel)
+
+# Citadel communication must be via citadeld
+vndbinder_use(init_citadel)
+binder_call(init_citadel, citadeld)
+allow init_citadel citadeld_service:service_manager find;
+
+# Many standard utils are actually vendor_toolbox (like xxd)
+allow init_citadel vendor_toolbox_exec:file rx_file_perms;
+
+# init_citadel needs to invoke citadel_updater
+allow init_citadel citadel_updater:file rx_file_perms;
diff --git a/dauntless/sepolicy/service_contexts b/dauntless/sepolicy/service_contexts
new file mode 100644
index 0000000..ac6a186
--- /dev/null
+++ b/dauntless/sepolicy/service_contexts
@@ -0,0 +1,3 @@
+android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0
diff --git a/dauntless/sepolicy/vndservice.te b/dauntless/sepolicy/vndservice.te
new file mode 100644
index 0000000..880c09c
--- /dev/null
+++ b/dauntless/sepolicy/vndservice.te
@@ -0,0 +1 @@
+type citadeld_service, vndservice_manager_type;
diff --git a/dauntless/sepolicy/vndservice_contexts b/dauntless/sepolicy/vndservice_contexts
new file mode 100644
index 0000000..b4df996
--- /dev/null
+++ b/dauntless/sepolicy/vndservice_contexts
@@ -0,0 +1 @@
+android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0
diff --git a/insmod/Android.bp b/insmod/Android.bp
new file mode 100644
index 0000000..4db5de5
--- /dev/null
+++ b/insmod/Android.bp
@@ -0,0 +1,13 @@
+sh_binary {
+ name: "insmod.sh",
+ src: "insmod.sh",
+ init_rc: ["init.module.rc"],
+ vendor: true,
+}
+
+prebuilt_etc {
+ name: "init.common.cfg",
+ src: "init.common.cfg",
+ vendor: true,
+}
+
diff --git a/insmod/init.common.cfg b/insmod/init.common.cfg
new file mode 100644
index 0000000..3a81fd2
--- /dev/null
+++ b/insmod/init.common.cfg
@@ -0,0 +1,11 @@
+####################################################
+# init.insmod.common.cfg #
+# This file contains common kernel modules to load #
+# at init time by init.insmod.sh script #
+####################################################
+
+# Load common kernel modules
+# Modules here will be loaded *before* device specific modules
+modprobe|-b *
+# All common modules loaded
+setprop|vendor.common.modules.ready
diff --git a/insmod/init.module.rc b/insmod/init.module.rc
new file mode 100644
index 0000000..de23b5b
--- /dev/null
+++ b/insmod/init.module.rc
@@ -0,0 +1,10 @@
+on init
+ # Loading common kernel modules in background
+ start insmod_sh
+
+service insmod_sh /vendor/bin/insmod.sh /vendor/etc/init.common.cfg
+ class main
+ user root
+ group root system
+ disabled
+ oneshot
diff --git a/insmod/insmod.mk b/insmod/insmod.mk
new file mode 100644
index 0000000..aa2261a
--- /dev/null
+++ b/insmod/insmod.mk
@@ -0,0 +1,4 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/insmod/sepolicy
+PRODUCT_PACKAGES += \
+ insmod.sh \
+ init.common.cfg
diff --git a/insmod/insmod.sh b/insmod/insmod.sh
new file mode 100755
index 0000000..2c434ef
--- /dev/null
+++ b/insmod/insmod.sh
@@ -0,0 +1,67 @@
+#!/vendor/bin/sh
+
+#############################################################
+### init.insmod.cfg format: ###
+### ----------------------------------------------------- ###
+### [insmod|setprop|enable/moprobe|wait] [path|prop name] ###
+### ... ###
+#############################################################
+
+modules_dir=
+
+for f in /vendor/lib/modules/*/modules.dep /vendor/lib/modules/modules.dep; do
+ if [[ -f "$f" ]]; then
+ modules_dir="$(dirname "$f")"
+ break
+ fi
+done
+
+if [[ -z "${modules_dir}" ]]; then
+ echo "Unable to locate kernel modules directory" 2>&1
+ exit 1
+fi
+
+# imitates wait_for_file() in init
+wait_for_file()
+{
+ filename="${1}"
+ timeout="${2:-5}"
+
+ expiry=$(($(date "+%s")+timeout))
+ while [[ ! -e "${filename}" ]] && [[ "$(date "+%s")" -le "${expiry}" ]]
+ do
+ sleep 0.01
+ done
+}
+
+if [ $# -eq 1 ]; then
+ cfg_file=$1
+else
+ # Set property even if there is no insmod config
+ # to unblock early-boot trigger
+ setprop vendor.common.modules.ready
+ setprop vendor.device.modules.ready
+ setprop vendor.all.modules.ready
+ setprop vendor.all.devices.ready
+ exit 1
+fi
+
+if [ -f $cfg_file ]; then
+ while IFS="|" read -r action arg
+ do
+ case $action in
+ "insmod") insmod $arg ;;
+ "setprop") setprop $arg 1 ;;
+ "enable") echo 1 > $arg ;;
+ "modprobe")
+ case ${arg} in
+ "-b *" | "-b")
+ arg="-b --all=${modules_dir}/modules.load" ;;
+ "*" | "")
+ arg="--all=${modules_dir}/modules.load" ;;
+ esac
+ modprobe -a -d "${modules_dir}" $arg ;;
+ "wait") wait_for_file $arg ;;
+ esac
+ done < $cfg_file
+fi
diff --git a/insmod/sepolicy/file_contexts b/insmod/sepolicy/file_contexts
new file mode 100644
index 0000000..e048641
--- /dev/null
+++ b/insmod/sepolicy/file_contexts
@@ -0,0 +1,5 @@
+# Vendor_kernel_modules
+/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0
+
+/vendor/bin/insmod\.sh u:object_r:insmod-sh_exec:s0
+
diff --git a/insmod/sepolicy/insmod-sh.te b/insmod/sepolicy/insmod-sh.te
new file mode 100644
index 0000000..d7b4f72
--- /dev/null
+++ b/insmod/sepolicy/insmod-sh.te
@@ -0,0 +1,11 @@
+type insmod-sh, domain;
+type insmod-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(insmod-sh)
+
+allow insmod-sh self:capability sys_module;
+allow insmod-sh vendor_kernel_modules:system module_load;
+allow insmod-sh vendor_toolbox_exec:file execute_no_trans;
+
+set_prop(insmod-sh, vendor_device_prop)
+
+dontaudit insmod-sh proc_cmdline:file r_file_perms;
diff --git a/insmod/sepolicy/property.te b/insmod/sepolicy/property.te
new file mode 100644
index 0000000..50f7b34
--- /dev/null
+++ b/insmod/sepolicy/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_device_prop)
diff --git a/insmod/sepolicy/property_contexts b/insmod/sepolicy/property_contexts
new file mode 100644
index 0000000..1e871b6
--- /dev/null
+++ b/insmod/sepolicy/property_contexts
@@ -0,0 +1,5 @@
+# Kernel modules related
+vendor.common.modules.ready u:object_r:vendor_device_prop:s0
+vendor.device.modules.ready u:object_r:vendor_device_prop:s0
+vendor.all.modules.ready u:object_r:vendor_device_prop:s0
+vendor.all.devices.ready u:object_r:vendor_device_prop:s0