Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d1e90993e46f10ec1b58206dcfc1e8ab293ef384^! / .
commitd1e90993e46f10ec1b58206dcfc1e8ab293ef384[log] [tgz]
authorAlice Wang <aliceywang@google.com>Fri Nov 08 12:30:09 2024 +0000
committerAlice Wang <aliceywang@google.com>Wed Nov 20 08:28:47 2024 +0000
treec4c7b60761f923bb97b689a6f2a99f862ddd454f
parentdcc19a43f8340367742cb5a18923d11ec9353dea [diff]
Add sepolicy for KeyMint VM system properties exposed to vendors

Bug: 368502791
Test: launch_cvd --secure_hals=guest_keymint_trusty_insecure
Test: atest VtsAidlSharedSecretTargetTest
Change-Id: Ic07fcd01e4d27c2a666acbb6d24a157841ac6eff

diff --git a/private/property.te b/private/property.te
index 3694666..0f5a3f0 100644
--- a/private/property.te
+++ b/private/property.te

@@ -96,6 +96,11 @@
     system_restricted_prop(profcollectd_etr_prop)
 ')
 
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+    system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
+
 # Properties which should only be written by vendor_init
 system_vendor_config_prop(avf_virtualizationservice_prop)
 system_vendor_config_prop(high_barometer_quality_prop)

diff --git a/private/property_contexts b/private/property_contexts
index 6c74fb0..241699a 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -1760,3 +1760,7 @@
 # Properties related to Trusty VMs
 trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
 trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
+
+# Properties that allows vendors to enable Trusty security VM features
+trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool

diff --git a/public/property.te b/public/property.te
index fa89cbb..43f162f 100644
--- a/public/property.te
+++ b/public/property.te

@@ -206,6 +206,9 @@
 system_vendor_config_prop(usb_uvc_enabled_prop)
 system_vendor_config_prop(setupwizard_mode_prop)
 system_vendor_config_prop(pm_archiving_enabled_prop)
+starting_at_board_api(202504, `
+    system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
 
 # Properties with no restrictions
 system_public_prop(adbd_config_prop)