Allow shell to call IRemotelyProvisionedComponent
This change gives the shell process the needed permissions to call the
rkp_factory_extraction_tool without also granting the ability to access
the KeyMint HAL service.
To run the tool from a shell accessible folder, push
rkp_factory_extraction_tool to /data/local/tmp with:
adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \
/data/local/tmp
Test: the tool can be executed in SELinux enforcing mode
Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1
diff --git a/private/shell.te b/private/shell.te
index c20e612..4c4feda 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -181,6 +181,9 @@
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
+# Allow shell to execute the remote key provisioning factory tool
+binder_call(shell, hal_keymint)
+
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
diff --git a/public/shell.te b/public/shell.te
index 496061c..6c67cea 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@
-apex_service
-dnsresolver_service
-gatekeeper_service
+ -hal_keymint_service
+ -hal_secureclock_service
+ -hal_sharedsecret_service
-incident_service
-installd_service
-mdns_service
@@ -196,6 +199,14 @@
### Neverallow rules
###
+# Do not allow shell to talk directly to security HAL services other than
+# hal_remotelyprovisionedcomponent_service
+neverallow shell {
+ hal_keymint_service
+ hal_secureclock_service
+ hal_sharedsecret_service
+}:service_manager find;
+
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion