Dice HAL: Add policy for dice HAL. And allow diced to talk to the dice HAL. Bug: 198197213 Test: N/A Change-Id: I74797b13656b38b50d7cd28a4c4c6ec4c8d1d1aa

commit: bc7a33ece96d7da5a79509983caf1a2a67c4ecbd [log] [tgz]
author: Janis Danisevskis <jdanis@google.com> Wed Nov 10 14:52:05 2021 -0800
committer: Janis Danisevskis <jdanis@google.com> Wed Nov 17 13:36:18 2021 -0800
tree: 307aebee5fc82acb0773f72ef25af43fdb7a5762
parent: 2b6c6063ae8799f3d4e71032e06816ebfcd22586 [diff]
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 5e55093..c92cc62 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil

@@ -16,6 +16,7 @@
     extra_free_kbytes
     extra_free_kbytes_exec
     hal_contexthub_service
+    hal_dice_service
     hal_graphics_composer_service
     hal_health_service
     hal_radio_config_service

diff --git a/private/diced.te b/private/diced.te
index 9d28128..b37809c 100644
--- a/private/diced.te
+++ b/private/diced.te

@@ -3,5 +3,4 @@
 init_daemon_domain(diced)
 
 # Talk to dice HAL.
-# TODO uncomment when implemented.
-# hal_client_domain(diced, hal_dice)
+hal_client_domain(diced, hal_dice)

diff --git a/private/service_contexts b/private/service_contexts
index 81d8f8e..0e723f2 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -34,6 +34,7 @@
 android.hardware.radio.voice.IRadioVoice/slot2                       u:object_r:hal_radio_voice_service:s0
 android.hardware.radio.voice.IRadioVoice/slot3                       u:object_r:hal_radio_voice_service:s0
 android.hardware.rebootescrow.IRebootEscrow/default                  u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.dice.IDiceDevice/default                   u:object_r:hal_dice_service:s0
 android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
 android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0

diff --git a/public/attributes b/public/attributes
index df82abf..07eecfc 100644
--- a/public/attributes
+++ b/public/attributes

@@ -333,6 +333,7 @@
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
+hal_attribute(dice);
 hal_attribute(drm);
 hal_attribute(dumpstate);
 hal_attribute(evs);

diff --git a/public/hal_dice.te b/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/public/hal_dice.te

@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)

diff --git a/public/service.te b/public/service.te
index 9ffed63..dc9b178 100644
--- a/public/service.te
+++ b/public/service.te

@@ -261,6 +261,7 @@
 type hal_audiocontrol_service, vendor_service, service_manager_type;
 type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
 type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
+type hal_dice_service, vendor_service, protected_service, service_manager_type;
 type hal_face_service, vendor_service, protected_service, service_manager_type;
 type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
 type hal_gnss_service, vendor_service, protected_service, service_manager_type;

diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2f14da..35c2d95 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -75,6 +75,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)?  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software   u:object_r:hal_dice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0

diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te
new file mode 100644
index 0000000..832e717
--- /dev/null
+++ b/vendor/hal_dice_default.te

@@ -0,0 +1,5 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)
commit	bc7a33ece96d7da5a79509983caf1a2a67c4ecbd	[log] [tgz]
author	Janis Danisevskis <jdanis@google.com>	Wed Nov 10 14:52:05 2021 -0800
committer	Janis Danisevskis <jdanis@google.com>	Wed Nov 17 13:36:18 2021 -0800
tree	307aebee5fc82acb0773f72ef25af43fdb7a5762
parent	2b6c6063ae8799f3d4e71032e06816ebfcd22586 [diff]