Add plumbing for new tee_service_contexts
This will be used to enable some VMs to issue custom vendor-defined
SMCs. On the Android host side, the allow list of what VMs can access
what SMC services via selinux. In short the implementation will look
like these:
* new tee_service_contexts defines all SMC services available to VMs
and their mapping to selinux labels
* sepolicy defines what VMs can access what SMC services. The access
control is defined at the "VM owner process" (i.e. process using AVF
APIs to start a VM).
* virtmngr will enforce the access control by reading the mapping from
/system/ect/selinux_tee_service_contexts and the using
selinux_check_access function from libselinux to check if the VM owner
is allowed to access requested SMC services.
Since SMC is an arm concept, we use a more generic "tee_service" name
to define it.
More information available at go/pkvm-pvm-allow-vendor-tz-services-access
Follow up patch will define an example tee_service that can be used
to test these feature end-to-end.
Bug: 360102915
Test: build & flasg
Test: adb shell ls -alZ /system/etc/selinux/tee_service_contexts
Change-Id: I14976767ae1817688584f8f225dc8127647c13cc
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 850601f..08a4f64 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -68,6 +68,11 @@
srcs: ["vndservice_contexts"],
}
+se_build_files {
+ name: "tee_service_contexts_files",
+ srcs: ["tee_service_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
defaults: ["contexts_flags_defaults"],
@@ -614,3 +619,34 @@
name: "fuzzer_bindings_test",
srcs: [":plat_service_contexts"],
}
+
+tee_service_contexts {
+ name: "plat_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.plat_private}"],
+}
+
+tee_service_contexts {
+ name: "system_ext_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+tee_service_contexts {
+ name: "product_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+tee_service_contexts {
+ name: "vendor_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":tee_service_contexts_files{.plat_vendor}",
+ ":tee_service_contexts_files{.vendor}",
+ ":tee_service_contexts_files{.reqd_mask}",
+ ],
+ soc_specific: true,
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 7400a33..51d27d3 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -65,6 +65,7 @@
/vendor_seapp_contexts seapp_contexts_file
/plat_seapp_contexts seapp_contexts_file
/sepolicy sepolicy_file
+/plat_tee_service_contexts tee_service_contexts_file
/plat_service_contexts service_contexts_file
/plat_hwservice_contexts hwservice_contexts_file
/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -452,6 +453,7 @@
#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_tee_service_contexts tee_service_contexts_file
/system/etc/selinux/plat_service_contexts service_contexts_file
/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -689,6 +691,8 @@
/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
@@ -717,6 +721,8 @@
/system/product/etc/selinux/product_service_contexts service_contexts_file
/product/etc/selinux/product_mac_permissions.xml mac_perms_file
/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
+/system/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
/product/lib system_lib_file
/product/lib/does_not_exist system_lib_file
@@ -761,6 +767,8 @@
/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
+/system/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec