Add permissions for remote_provisioning service Bug: 254112668 Test: manual + presubmit Change-Id: I54d56c34ad4a8199b8aa005742faf9e1e12583c3

commit: 3accea479aa4797165b310e5e07aa8a34919485a [log] [tgz]
author: Seth Moore <sethmo@google.com> Thu Oct 20 14:09:11 2022 -0700
committer: Seth Moore <sethmo@google.com> Tue Dec 06 08:46:20 2022 -0800
tree: 04bcc59cb7999c9edbced75849aec12f9f62f392
parent: ef567215557e70ef6f68f6d615c43fb8dfdfd4ef [diff]
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 72f4804..c4a74b6 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -341,6 +341,7 @@
 		"rcs":                          EXCEPTION_NO_FUZZER,
 		"reboot_readiness":             EXCEPTION_NO_FUZZER,
 		"recovery":                     EXCEPTION_NO_FUZZER,
+		"remote_provisioning":          EXCEPTION_NO_FUZZER,
 		"resolver":                     EXCEPTION_NO_FUZZER,
 		"resources":                    EXCEPTION_NO_FUZZER,
 		"restrictions":                 EXCEPTION_NO_FUZZER,

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 45bca3d..786dc14 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil

@@ -29,6 +29,7 @@
     ntfs
     permissive_mte_prop
     prng_seeder
+    remote_provisioning_service
     rkpdapp
     servicemanager_prop
     system_net_netd_service

diff --git a/private/service_contexts b/private/service_contexts
index ecd1f44..6dfc5a7 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -319,6 +319,7 @@
 rcs                                       u:object_r:radio_service:s0
 reboot_readiness                          u:object_r:reboot_readiness_service:s0
 recovery                                  u:object_r:recovery_service:s0
+remote_provisioning                       u:object_r:remote_provisioning_service:s0
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index 3a7dd8a..a967dcf 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -5,6 +5,7 @@
 
 typeattribute system_server coredomain;
 typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;

diff --git a/public/attributes b/public/attributes
index ae610e6..0478874 100644
--- a/public/attributes
+++ b/public/attributes

@@ -399,6 +399,7 @@
 attribute camera_service_server;
 attribute display_service_server;
 attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;

diff --git a/public/keystore.te b/public/keystore.te
index 8ac503e..4cef175 100644
--- a/public/keystore.te
+++ b/public/keystore.te

@@ -5,6 +5,7 @@
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)
 
@@ -17,6 +18,7 @@
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)

diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 0000000..710b43d
--- /dev/null
+++ b/public/remote_provisioning_service_server.te

@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)

diff --git a/public/service.te b/public/service.te
index 9ca96bd..819498c 100644
--- a/public/service.te
+++ b/public/service.te

@@ -194,6 +194,7 @@
 type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
 type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
 type resources_manager_service, system_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;
commit	3accea479aa4797165b310e5e07aa8a34919485a	[log] [tgz]
author	Seth Moore <sethmo@google.com>	Thu Oct 20 14:09:11 2022 -0700
committer	Seth Moore <sethmo@google.com>	Tue Dec 06 08:46:20 2022 -0800
tree	04bcc59cb7999c9edbced75849aec12f9f62f392
parent	ef567215557e70ef6f68f6d615c43fb8dfdfd4ef [diff]