Allow shell to call IRemotelyProvisionedComponent This change gives the shell process the needed permissions to call the rkp_factory_extraction_tool without also granting the ability to access the KeyMint HAL service. To run the tool from a shell accessible folder, push rkp_factory_extraction_tool to /data/local/tmp with: adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \ /data/local/tmp Test: the tool can be executed in SELinux enforcing mode Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1

commit: 4d3dcd64d38339b06668c2e7273750e403d88bed [log] [tgz]
author: Max Bires <jbires@google.com> Fri Oct 07 12:51:15 2022 -0700
committer: Max Bires <jbires@google.com> Wed Nov 09 12:42:28 2022 -0800
tree: 089268d7e1a7287d6140700604030bc23876595d
parent: f974811fd70e815322b40800e0048c65239744fa [diff]
diff --git a/private/shell.te b/private/shell.te
index c20e612..4c4feda 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -181,6 +181,9 @@
 get_prop(shell, last_boot_reason_prop)
 get_prop(shell, system_boot_reason_prop)
 
+# Allow shell to execute the remote key provisioning factory tool
+binder_call(shell, hal_keymint)
+
 # Allow reading the outcome of perf_event_open LSM support test for CTS.
 get_prop(shell, init_perf_lsm_hooks_prop)
commit	4d3dcd64d38339b06668c2e7273750e403d88bed	[log] [tgz]
author	Max Bires <jbires@google.com>	Fri Oct 07 12:51:15 2022 -0700
committer	Max Bires <jbires@google.com>	Wed Nov 09 12:42:28 2022 -0800
tree	089268d7e1a7287d6140700604030bc23876595d
parent	f974811fd70e815322b40800e0048c65239744fa [diff]