Add hwcryptohal permissions
Adding necessary permissions for hwcrypto hal.
Bug: b/374158137
Test: android/trusty qemu build and trusty test
Change-Id: I543b7a36c85ec64350bbad8d19596f37a20369ac
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index e6e220b..99dde56 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -131,6 +131,7 @@
"android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": []string{"android.hardware.security.secretkeeper-service.nonsecure_fuzzer"},
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.see.hwcrypto.IHwCryptoKey/default": []string{"android.hardware.trusty.hwcryptohal-service_fuzzer"},
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
diff --git a/private/service_contexts b/private/service_contexts
index dec8f6b..678a5d8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -109,6 +109,7 @@
android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
+android.hardware.security.see.hwcrypto.IHwCryptoKey/default u:object_r:hal_hwcrypto_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b0c7a37..dc09d79 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -114,6 +114,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.threadnetwork-service(\.sim)? u:object_r:hal_threadnetwork_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.trusty\.hwcryptohal-service u:object_r:hal_hwcrypto_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service u:object_r:hal_tv_hdmi_connection_default_exec:s0
diff --git a/vendor/hal_hwcrypto_default.te b/vendor/hal_hwcrypto_default.te
new file mode 100644
index 0000000..7cb2eef
--- /dev/null
+++ b/vendor/hal_hwcrypto_default.te
@@ -0,0 +1,12 @@
+type hal_hwcrypto_default, domain;
+hal_server_domain(hal_hwcrypto_default, hal_hwcrypto)
+
+type hal_hwcrypto_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_hwcrypto_default)
+
+allow hal_hwcrypto_default tee_device:chr_file rw_file_perms;
+allow hal_hwcrypto_default ion_device:chr_file rw_file_perms;
+
+binder_call(hal_hwcrypto_client, hal_hwcrypto_server);
+hal_attribute_service(hal_hwcrypto, hal_hwcrypto_service);
+binder_use(hal_hwcrypto_server);