Add ro.remote_provisioning.*.rkp_only properties.
These properties are used to inform keystore2 and the RemoteProvisioner
app how they should behave in the system in the event that RKP keys are
exhausted. The usual behavior in a hybrid system is not to take any
action and fallback to the factory provisioned key if key attestation is
requested and no remotely provisioned keys are available.
However, there are instances where this could happen on a device that
was intended to be RKP only, in which case the system needs to know that
it should go ahead and attempt to remotely provision new certificates or
throw an error in the case where none are available.
Test: New properties are accessible from the two domains
Change-Id: I8d6c9e650566499bf08cfda2f71c64d5c2b26fd6
diff --git a/private/init.te b/private/init.te
index 997a184..1405b9e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -105,6 +105,9 @@
# Only init can set keystore.boot_level
neverallow { domain -init } keystore_listen_prop:property_service set;
+# Only init can set the ro.remote_provisioning.* props
+neverallow { domain -init } remote_prov_prop:property_service set;
+
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/keystore.te b/private/keystore.te
index 838712f..78c0198 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -17,6 +17,9 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/property.te b/private/property.te
index 3f02c83..834d2df 100644
--- a/private/property.te
+++ b/private/property.te
@@ -31,6 +31,7 @@
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 04e77e4..d244108 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1249,6 +1249,10 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+# Store the URL that the provisioning code should point at.
+ro.remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+ro.remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 010c9bc..b2b3987 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,6 +4,7 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+get_prop(remote_prov_app, remote_prov_prop)
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)