Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a75cad0d0a12f61da18f99980ba3ce1f9b44074a^! / . / private
commita75cad0d0a12f61da18f99980ba3ce1f9b44074a[log] [tgz]
authorSeth Moore <sethmo@google.com>Wed Feb 02 13:36:50 2022 -0800
committerSeth Moore <sethmo@google.com>Wed Feb 02 15:07:26 2022 -0800
treefcb8cb0e08617bed2b763fc29c0568970333c78e
parent7e07941d3d9911c5671239a8abb2632ab30e8e69 [diff]
Add remotely provisioned key pool se policy

Keystore now hosts a native binder for the remotely provisioned key
pool, which is used to services such as credstore to lookup remotely
provisioned keys.

Add a new service context and include it in the keystore services.

Add a dependency on this new service for credstore. Also include a
credstore dependency on IRemotelyProvisionedComponent, as it's needed
to make use of the key pool.

Bug: 194696876
Test: CtsIdentityTestCases
Change-Id: I0fa71c5be79922a279eb1056305bbd3e8078116e

diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 4d55168..f834ca3 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil

@@ -47,6 +47,7 @@
     nearby_service
     proc_watermark_boost_factor
     proc_watermark_scale_factor
+    remotelyprovisionedkeypool_service
     resources_manager_service
     selection_toolbar_service
     snapuserd_proxy_socket

diff --git a/private/credstore.te b/private/credstore.te
index 8d87e2f..c410d76 100644
--- a/private/credstore.te
+++ b/private/credstore.te

@@ -4,3 +4,9 @@
 
 # talk to Identity Credential
 hal_client_domain(credstore, hal_identity)
+
+# talk to keymint, specifically for IRemotelyProvisionedComponent/default
+hal_client_domain(credstore, hal_keymint)
+
+# credstore needs to get keys from the remotely provisioned pool
+allow credstore remotelyprovisionedkeypool_service:service_manager find;

diff --git a/private/service_contexts b/private/service_contexts
index 982eae7..a22f272 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -86,6 +86,7 @@
 android.security.maintenance              u:object_r:keystore_maintenance_service:s0
 android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
+android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.composd                    u:object_r:compos_service:s0
 android.system.virtualizationservice      u:object_r:virtualization_service:s0