Allow compos to use diced Bug: 214233409 Test: composd_cmd dice Change-Id: I82b4bd87db879f378d2fafb6e2db7e2544fef5de

commit: 50d2195cabf6d7dadf477d1fce683c9d4a6c3330 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Mon Jan 17 13:50:16 2022 +0000
committer: Alan Stokes <alanstokes@google.com> Mon Jan 17 15:48:00 2022 +0000
tree: cbceb89de68b9f5cf18e4766e8401c5006cb5098
parent: f3ec0742edbec0eff5cc1fc07f3edfc042ec7d0e [diff] [blame]
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 174eda3..41dd91a 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te

@@ -2,13 +2,19 @@
 type compos, domain, coredomain, microdroid_payload;
 type compos_exec, exec_type, file_type, system_file_type;
 
+# Expose RPC Binder service over vsock
 allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
-# Allow using keystore and authfs_service binder services
+# Allow using various binder services
 binder_use(compos);
 use_keystore(compos);
-allow compos authfs_binder_service:service_manager find;
+allow compos {
+    authfs_binder_service
+    dice_node_service
+}:service_manager find;
 binder_call(compos, authfs_service);
+binder_call(compos, diced);
+allow compos diced:diced { get_attestation_chain use_sign };
 
 # Allow payloads to use and manage their keys
 allow compos vm_payload_key:keystore2_key {
commit	50d2195cabf6d7dadf477d1fce683c9d4a6c3330	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Mon Jan 17 13:50:16 2022 +0000
committer	Alan Stokes <alanstokes@google.com>	Mon Jan 17 15:48:00 2022 +0000
tree	cbceb89de68b9f5cf18e4766e8401c5006cb5098
parent	f3ec0742edbec0eff5cc1fc07f3edfc042ec7d0e [diff] [blame]