Merge "Add SELinux policies for remote_key_provisioning_native namespace."
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 05e55ba..64e14e2 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -33,6 +33,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{},
"android.hardware.broadcastradio.IBroadcastRadio/dab": []string{},
"android.hardware.camera.provider.ICameraProvider/internal/0": []string{},
+ "android.hardware.confirmationui.IConfirmationUI/default": []string{},
"android.hardware.contexthub.IContextHub/default": []string{},
"android.hardware.drm.IDrmFactory/clearkey": []string{},
"android.hardware.drm.ICryptoFactory/clearkey": []string{},
diff --git a/prebuilts/api/33.0/private/app_zygote.te b/prebuilts/api/33.0/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/prebuilts/api/33.0/private/app_zygote.te
+++ b/prebuilts/api/33.0/private/app_zygote.te
@@ -159,6 +159,7 @@
neverallow app_zygote {
domain
-app_zygote
+ -prng_seeder
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index c1fc736..b5aa501 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -61,6 +61,7 @@
persist_wm_debug_prop
proc_watermark_boost_factor
proc_watermark_scale_factor
+ prng_seeder
remotelyprovisionedkeypool_service
resources_manager_service
rootdisk_sysdev
diff --git a/prebuilts/api/33.0/private/domain.te b/prebuilts/api/33.0/private/domain.te
index 2ef688c..bcb9d52 100644
--- a/prebuilts/api/33.0/private/domain.te
+++ b/prebuilts/api/33.0/private/domain.te
@@ -112,6 +112,9 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -496,6 +499,7 @@
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
+ -prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index c4ee2aa..cf9ea02 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -115,3 +115,8 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# Filesystem entry for for PRNG seeder socket. Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index e21c18c..65baa5d 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/prebuilts/api/33.0/private/init.te b/prebuilts/api/33.0/private/init.te
index 997a184..17e25f8 100644
--- a/prebuilts/api/33.0/private/init.te
+++ b/prebuilts/api/33.0/private/init.te
@@ -108,6 +108,9 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
diff --git a/prebuilts/api/33.0/private/prng_seeder.te b/prebuilts/api/33.0/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/prebuilts/api/33.0/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 8e1fcf7..de529f5 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -421,6 +421,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
diff --git a/prebuilts/api/33.0/public/hal_configstore.te b/prebuilts/api/33.0/public/hal_configstore.te
index 069da47..23b04c9 100644
--- a/prebuilts/api/33.0/public/hal_configstore.te
+++ b/prebuilts/api/33.0/public/hal_configstore.te
@@ -31,6 +31,7 @@
domain
-hal_configstore_server
-logd
+ -prng_seeder
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
diff --git a/prebuilts/api/33.0/public/prng_seeder.te b/prebuilts/api/33.0/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/prebuilts/api/33.0/public/prng_seeder.te
@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index 57df54c..1e221ae 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -281,7 +281,8 @@
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+ domain -init -logd -prng_seeder -su -vendor_init });
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index bdb4869..121daeb 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -27,4 +27,5 @@
virtual_fingerprint_hal_prop
hal_gatekeeper_service
hal_broadcastradio_service
+ hal_confirmationui_service
))
diff --git a/private/mtectrl.te b/private/mtectrl.te
index a727b25..e0418bc 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -13,3 +13,9 @@
allow mtectrl misc_block_device:blk_file rw_file_perms;
allow mtectrl block_device:dir r_dir_perms;
read_fstab(mtectrl)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit mtectrl sysfs_dt_firmware_android:dir search;
+dontaudit mtectrl vendor_property_type:file read;
diff --git a/private/service_contexts b/private/service_contexts
index f8c99df..fe4e021 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
@@ -17,6 +18,7 @@
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.confirmationui.IConfirmationUI/default u:object_r:hal_confirmationui_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
@@ -73,7 +75,6 @@
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
-android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
index 5d2e4b7..9896e35 100644
--- a/public/hal_confirmationui.te
+++ b/public/hal_confirmationui.te
@@ -2,3 +2,5 @@
binder_call(hal_confirmationui_client, hal_confirmationui_server)
hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
+hal_attribute_service(hal_confirmationui, hal_confirmationui_service)
+binder_call(hal_confirmationui_server, servicemanager)
diff --git a/public/service.te b/public/service.te
index a844b82..25b0731 100644
--- a/public/service.te
+++ b/public/service.te
@@ -273,6 +273,7 @@
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_dice_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;