commit 2b6c6063ae8799f3d4e71032e06816ebfcd22586
author Janis Danisevskis <jdanis@google.com> Tue Nov 09 17:49:02 2021 -0800
committer Janis Danisevskis <jdanis@google.com> Wed Nov 17 13:36:18 2021 -0800
tree 87c40178d0bfd3aca13372149a2553aec7ab898d
parent 8797f5841cb86edabd5438e79741b1d83bd575e0

Diced: Add policy for diced the DICE daemon.

Bug: 198197213
Test: N/A
Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d

private/access_vectors

diff --git a/private/access_vectors b/private/access_vectors
index 6edcd1f..21fa534 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -749,6 +749,16 @@
 	use_dev_id
 }
 
+class diced
+{
+	demote
+	demote_self
+	derive
+	get_attestation_chain
+	use_seal
+	use_sign
+}
+
 class drmservice {
 	consumeRights
 	setPlaybackStatus

private/compat/31.0/31.0.ignore.cil

diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 47a2e8c..5e55093 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,6 +9,10 @@
     attestation_verification_service
     camera2_extensions_prop
     device_config_nnapi_native_prop
+    dice_maintenance_service
+    dice_node_service
+    diced
+    diced_exec
     extra_free_kbytes
     extra_free_kbytes_exec
     hal_contexthub_service

private/crash_dump.te

diff --git a/private/crash_dump.te b/private/crash_dump.te
index 9233a4d..90ffeb5 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,6 +8,7 @@
   -apexd
   -bpfloader
   -crash_dump
+  -diced
   -init
   -kernel
   -keystore
@@ -40,6 +41,7 @@
   apexd
   userdebug_or_eng(`-apexd')
   bpfloader
+  diced
   init
   kernel
   keystore

private/diced.te

diff --git a/private/diced.te b/private/diced.te
new file mode 100644
index 0000000..9d28128
--- /dev/null
+++ b/private/diced.te
@@ -0,0 +1,7 @@
+typeattribute diced coredomain;
+
+init_daemon_domain(diced)
+
+# Talk to dice HAL.
+# TODO uncomment when implemented.
+# hal_client_domain(diced, hal_dice)

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index e7045e0..de7291b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -270,6 +270,7 @@
 /system/bin/credstore	u:object_r:credstore_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
 /system/bin/keystore2	u:object_r:keystore_exec:s0
+/system/bin/diced      u:object_r:diced_exec:s0
 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/tombstoned u:object_r:tombstoned_exec:s0

private/llkd.te

diff --git a/private/llkd.te b/private/llkd.te
index 9c96dfb..8512e85 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -23,6 +23,7 @@
   allow llkd {
     domain
     -apexd
+    -diced
     -kernel
     -keystore
     -init

private/security_classes

diff --git a/private/security_classes b/private/security_classes
index 200b030..0d3cc80 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -163,5 +163,8 @@
 # Keystore 2.0 key permissions
 class keystore2_key             # userspace
 
+# Diced permissions
+class diced                     # userspace
+
 class drmservice                # userspace
 # FLASK

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index f79715d..81d8f8e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -65,6 +65,8 @@
 android.security.apc                      u:object_r:apc_service:s0
 android.security.authorization            u:object_r:authorization_service:s0
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance    u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode           u:object_r:dice_node_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.security.legacykeystore           u:object_r:legacykeystore_service:s0