Add SELinux policy changes for rkpd
This is a part of changes to bring up Remote Key Provisioning Daemon
module. See packages/modules/RemoteKeyProvisioning for more info.
Change-Id: Iae4e98176491637acb03e2e09b9d8dbc269be616
Test: atest rkpd_client_test
diff --git a/apex/Android.bp b/apex/Android.bp
index 8c9db86..994bfd2 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -272,3 +272,10 @@
"com.android.healthconnect-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.rkpd-file_contexts",
+ srcs: [
+ "com.android.rkpd-file_contexts",
+ ],
+}
diff --git a/apex/com.android.rkpd-file_contexts b/apex/com.android.rkpd-file_contexts
new file mode 100644
index 0000000..4424c8a
--- /dev/null
+++ b/apex/com.android.rkpd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/rkpd u:object_r:rkpd_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index cf6b72d..ee32646 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -313,6 +313,8 @@
"resolver": []string{},
"resources": []string{},
"restrictions": []string{},
+ "rkpd.registrar": []string{},
+ "rkpd.refresh": []string{},
"role": []string{},
"rollback": []string{},
"rttmanager": []string{},
diff --git a/private/rkpd.te b/private/rkpd.te
new file mode 100644
index 0000000..d75638a
--- /dev/null
+++ b/private/rkpd.te
@@ -0,0 +1,15 @@
+# Policies for Remote Key Provisioning Daemon (rkpd)
+type rkpd, domain;
+type rkpd_exec, system_file_type, exec_type, file_type;
+
+typeattribute rkpd coredomain;
+
+binder_use(rkpd)
+binder_service(rkpd)
+
+init_daemon_domain(rkpd)
+
+add_service(rkpd, rkpd_registrar_service)
+add_service(rkpd, rkpd_refresh_service)
+
+
diff --git a/private/service.te b/private/service.te
index 1f407a6..84e39ae 100644
--- a/private/service.te
+++ b/private/service.te
@@ -10,6 +10,8 @@
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
+type rkpd_registrar_service, service_manager_type;
+type rkpd_refresh_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 63f3ff7..d86bf47 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -298,6 +298,8 @@
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
+rkpd.registrar u:object_r:rkpd_registrar_service:s0
+rkpd.refresh u:object_r:rkpd_refresh_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0