Add policies for diced and hal_dice in microdroid
Bug: 214231981
Test: run microdroid and check diced is up and running
Change-Id: I605d7d6a790b8a14e575e67e1dcf02eaf7a5eafc
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
new file mode 100644
index 0000000..4c3a890
--- /dev/null
+++ b/microdroid/system/private/diced.te
@@ -0,0 +1,17 @@
+type diced, domain, coredomain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+# diced can be started by init
+init_daemon_domain(diced)
+
+# diced can talk to dice HAL
+hal_client_domain(diced, hal_dice)
+
+# diced hosts AIDL services
+binder_use(diced)
+binder_service(diced)
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# diced can check SELinux permissions.
+selinux_check_access(diced)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 933c63f..b6fb2ba 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -106,6 +106,7 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/diced u:object_r:diced_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 3489055..6499423 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
@@ -8,6 +9,8 @@
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 6479c55..e3258ae 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -298,6 +298,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(dice);
hal_attribute(drm);
hal_attribute(evs);
hal_attribute(face);
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/microdroid/system/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 0ee9f89..6329656 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -6,6 +6,9 @@
type credstore_service, app_api_service, service_manager_type;
type default_android_hwservice, hwservice_manager_type, protected_hwservice;
type default_android_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
+type hal_dice_service, protected_service, vendor_service, service_manager_type;
type hal_keymint_service, protected_service, vendor_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 0aa85cf..2dee390 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -35,4 +35,5 @@
/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
new file mode 100644
index 0000000..832e717
--- /dev/null
+++ b/microdroid/vendor/hal_dice_default.te
@@ -0,0 +1,5 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)