Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 48966b6105be61ea89f42310532582a2059f2b89^! / . / contexts / Android.bp
commit48966b6105be61ea89f42310532582a2059f2b89[log] [tgz]
authorNikita Ioffe <ioffe@google.com>Tue Oct 22 14:01:17 2024 +0000
committerNikita Ioffe <ioffe@google.com>Tue Nov 12 15:37:53 2024 +0000
treeef50713f5289b84f5b838a589822972a371be8a9
parent292fc6fe12a64e02a101f3db5e4bb60032cb00b0 [diff] [blame]
Add plumbing for new tee_service_contexts

This will be used to enable some VMs to issue custom vendor-defined
SMCs. On the Android host side, the allow list of what VMs can access
what SMC services via selinux. In short the implementation will look
like these:

* new tee_service_contexts defines all SMC services available to VMs
  and their mapping to selinux labels
* sepolicy defines what VMs can access what SMC services. The access
  control is defined at the "VM owner process" (i.e. process using AVF
  APIs to start a VM).
* virtmngr will enforce the access control by reading the mapping from
  /system/ect/selinux_tee_service_contexts and the using
  selinux_check_access function from libselinux to check if the VM owner
  is allowed to access requested SMC services.

Since SMC is an arm concept, we use a more generic "tee_service" name
to define it.

More information available at go/pkvm-pvm-allow-vendor-tz-services-access

Follow up patch will define an example tee_service that can be used
to test these feature end-to-end.

Bug: 360102915
Test: build & flasg
Test: adb shell ls -alZ /system/etc/selinux/tee_service_contexts
Change-Id: I14976767ae1817688584f8f225dc8127647c13cc

diff --git a/contexts/Android.bp b/contexts/Android.bp
index 850601f..08a4f64 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp

@@ -68,6 +68,11 @@
     srcs: ["vndservice_contexts"],
 }
 
+se_build_files {
+    name: "tee_service_contexts_files",
+    srcs: ["tee_service_contexts"],
+}
+
 file_contexts {
     name: "plat_file_contexts",
     defaults: ["contexts_flags_defaults"],
@@ -614,3 +619,34 @@
     name: "fuzzer_bindings_test",
     srcs: [":plat_service_contexts"],
 }
+
+tee_service_contexts {
+    name: "plat_tee_service_contexts",
+    defaults: ["contexts_flags_defaults"],
+    srcs: [":tee_service_contexts_files{.plat_private}"],
+}
+
+tee_service_contexts {
+    name: "system_ext_tee_service_contexts",
+    defaults: ["contexts_flags_defaults"],
+    srcs: [":tee_service_contexts_files{.system_ext_private}"],
+    system_ext_specific: true,
+}
+
+tee_service_contexts {
+    name: "product_tee_service_contexts",
+    defaults: ["contexts_flags_defaults"],
+    srcs: [":tee_service_contexts_files{.product_private}"],
+    product_specific: true,
+}
+
+tee_service_contexts {
+    name: "vendor_tee_service_contexts",
+    defaults: ["contexts_flags_defaults"],
+    srcs: [
+        ":tee_service_contexts_files{.plat_vendor}",
+        ":tee_service_contexts_files{.vendor}",
+        ":tee_service_contexts_files{.reqd_mask}",
+    ],
+    soc_specific: true,
+}