Add plumbing for new tee_service_contexts
This will be used to enable some VMs to issue custom vendor-defined
SMCs. On the Android host side, the allow list of what VMs can access
what SMC services via selinux. In short the implementation will look
like these:
* new tee_service_contexts defines all SMC services available to VMs
and their mapping to selinux labels
* sepolicy defines what VMs can access what SMC services. The access
control is defined at the "VM owner process" (i.e. process using AVF
APIs to start a VM).
* virtmngr will enforce the access control by reading the mapping from
/system/ect/selinux_tee_service_contexts and the using
selinux_check_access function from libselinux to check if the VM owner
is allowed to access requested SMC services.
Since SMC is an arm concept, we use a more generic "tee_service" name
to define it.
More information available at go/pkvm-pvm-allow-vendor-tz-services-access
Follow up patch will define an example tee_service that can be used
to test these feature end-to-end.
Bug: 360102915
Test: build & flasg
Test: adb shell ls -alZ /system/etc/selinux/tee_service_contexts
Change-Id: I14976767ae1817688584f8f225dc8127647c13cc
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 330e02f..c96dda5 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -91,6 +91,7 @@
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
+ android.RegisterModuleType("tee_service_contexts", teeServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
@@ -538,6 +539,12 @@
return m
}
+func teeServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
+
func seappFactory() android.Module {
m := newModule()
m.build = m.buildSeappContexts