Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 191940036b8966d60069e5daa198754e6155a5ce^! / . / private
commit191940036b8966d60069e5daa198754e6155a5ce[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Wed Dec 02 09:52:42 2020 -0800
committerJanis Danisevskis <jdanis@google.com>Tue Dec 15 08:23:52 2020 -0800
tree9b8e602dcf9b9dca270287d477559120ba297da4
parent63d875612f41d9fde65b32ac2c81115fa6150217 [diff]
Add policy for the security compatibility hal service.

This service manager is registered by Keystore 2.0 to lookup legacy
wrapper services.

Keystore 2.0 is now written in rust. We have AIDL binding for rust but
no HIDL binding. Keystore 2.0 has to support legacy HIDL based
interfaces. So we implement the AIDL KeyMint interface in terms of the
legacy HIDL Keymaster <=  V4.1 devices in C++. This wrapper is linked
into the Keystore 2.0 process but it cannot be called directly but must
be treated like a remote binder instead. However, we cannot register
these wrappers directly, because a) we are not a vendor component, and
b) it would conflict with genuine KeyMint devices on newer devices. So
Instead we register Keystore 2.0 itself as a legacy service provider.
Which it can query itself for the legacy wrappers if it does not find
a genuine KeyMint implementation to connect to.

Bug: 171351607
Test: Keystore 2.0 can register this Service and lookup legacy wrapper
      services.
Change-Id: I935f23837721ce126531236f4920dba469a47be4

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index d1d5f0f..bbd45eb 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -29,6 +29,7 @@
     hal_gnss_service
     hal_power_stats_service
     hal_keymint_service
+    keystore_compat_hal_service
     keystore2_key_contexts_file
     legacy_permission_service
     location_time_zone_manager_service

diff --git a/private/service_contexts b/private/service_contexts
index 47eb92d..c5e7257 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -23,6 +23,7 @@
 android.os.UpdateEngineService            u:object_r:update_engine_service:s0
 android.os.UpdateEngineStableService      u:object_r:update_engine_stable_service:s0
 android.security.apc                      u:object_r:apc_service:s0
+android.security.compat                   u:object_r:keystore_compat_hal_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0