Merge "Remove unnecessary entries from microdroid vendor file_contexts"

commit: 45b594f5efdd45154d0e2cebdf1be6fbc4d61c2f [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue Apr 05 10:20:49 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Apr 05 10:20:49 2022 +0000
tree: 67d9c8e3e3af5220659180f1fb3a9ef2e768b23a
parent: aaacfdb05424692db11d5e26df912c57918a539a [diff]
parent: db9b8670b3882bf61fd07802e5a59e210aa28ea9 [diff]
diff --git a/private/init.te b/private/init.te
index 997a184..1405b9e 100644
--- a/private/init.te
+++ b/private/init.te

@@ -105,6 +105,9 @@
 # Only init can set keystore.boot_level
 neverallow { domain -init } keystore_listen_prop:property_service set;
 
+# Only init can set the ro.remote_provisioning.* props
+neverallow { domain -init } remote_prov_prop:property_service set;
+
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;
 

diff --git a/private/keystore.te b/private/keystore.te
index 838712f..78c0198 100644
--- a/private/keystore.te
+++ b/private/keystore.te

@@ -17,6 +17,9 @@
 # Allow to check whether security logging is enabled.
 get_prop(keystore, device_logging_prop)
 
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)
 

diff --git a/private/property.te b/private/property.te
index 3f02c83..834d2df 100644
--- a/private/property.te
+++ b/private/property.te

@@ -31,6 +31,7 @@
 system_internal_prop(pm_prop)
 system_internal_prop(profcollectd_node_id_prop)
 system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
 system_internal_prop(rollback_test_prop)
 system_internal_prop(setupwizard_prop)
 system_internal_prop(snapuserd_prop)

diff --git a/private/property_contexts b/private/property_contexts
index 04e77e4..d244108 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -1249,6 +1249,10 @@
 
 ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
 
+# Store the URL that the provisioning code should point at.
+ro.remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+ro.remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
 # Broadcast boot stages, which keystore listens to
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
 

diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 010c9bc..b2b3987 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te

@@ -4,6 +4,7 @@
 app_domain(remote_prov_app)
 net_domain(remote_prov_app)
 
+get_prop(remote_prov_app, remote_prov_prop)
 # The app needs access to properly build a DeviceInfo package for the verifying server
 get_prop(remote_prov_app, vendor_security_patch_level_prop)
commit	45b594f5efdd45154d0e2cebdf1be6fbc4d61c2f	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue Apr 05 10:20:49 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Apr 05 10:20:49 2022 +0000
tree	67d9c8e3e3af5220659180f1fb3a9ef2e768b23a
parent	aaacfdb05424692db11d5e26df912c57918a539a [diff]
parent	db9b8670b3882bf61fd07802e5a59e210aa28ea9 [diff]