Add sepolicy for non-secure AuthGraph impl
Bug: 284470121
Bug: 291228560
Test: hal_implementation_test
Test: VtsAidlAuthGraphSessionTest
Change-Id: I85bf9e0656bab3c96765cc15a5a983aefb6af66d
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 44c3243..2c9676f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -114,6 +114,7 @@
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 69902d8..d102818 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,6 +9,7 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_authgraph_service
hal_codec2_service
hal_threadnetwork_service
virtual_camera_service
diff --git a/private/service_contexts b/private/service_contexts
index a1fb06b..f97e638 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -89,6 +89,7 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index efdeff4..0229e6c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -306,6 +306,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_audio)
+hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
diff --git a/public/attributes b/public/attributes
index d2b2cc1..a5d666e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -331,6 +331,7 @@
hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
+hal_attribute(authgraph);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c52ca15..496d95974 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
dump_hal(hal_audiocontrol)
+dump_hal(hal_authgraph)
dump_hal(hal_authsecret)
dump_hal(hal_bluetooth)
dump_hal(hal_broadcastradio)
diff --git a/public/hal_authgraph.te b/public/hal_authgraph.te
new file mode 100644
index 0000000..f053cb0
--- /dev/null
+++ b/public/hal_authgraph.te
@@ -0,0 +1,7 @@
+binder_call(hal_authgraph_client, hal_authgraph_server)
+
+hal_attribute_service(hal_authgraph, hal_authgraph_service)
+binder_call(hal_authgraph_server, servicemanager)
+
+allow hal_authgraph_server tee_device:chr_file rw_file_perms;
+allow hal_authgraph_server ion_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index e018e40..8f13cb2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -279,6 +279,7 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authgraph_service, protected_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index efe0b71..5bae6c5 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -97,6 +97,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/vendor/hal_authgraph_default.te b/vendor/hal_authgraph_default.te
new file mode 100644
index 0000000..1676cca
--- /dev/null
+++ b/vendor/hal_authgraph_default.te
@@ -0,0 +1,5 @@
+type hal_authgraph_default, domain;
+hal_server_domain(hal_authgraph_default, hal_authgraph)
+
+type hal_authgraph_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authgraph_default)