Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d38119602106c9d48a2bf786baf08e6866ea0e5f^! / .
commitd38119602106c9d48a2bf786baf08e6866ea0e5f[log] [tgz]
authorHani Kazmi <hanikazmi@google.com>Wed Oct 02 17:26:18 2024 +0000
committerHani Kazmi <hanikazmi@google.com>Wed Oct 02 17:28:11 2024 +0000
treec2d7616bf02149615dc577e1b38f54f38d75ea8e
parent2fd6f3c64d03b052513a36579d9ed1cb1cfd5c1c [diff]
[AAPM] Introduce new Service for Android Advanced Protection Mode

We add a new service and manager, behind a feature flag. This service
will be used to enroll devices into a security conscious protection
mode, and to allow clients to customise behaviour based on the state of
this mode.

Bug: 352420507
Test: atest AdvancedProtectionServiceTest AdvancedProtectionManagerTest
Flag: android.security.aapm_api
Change-Id: I8e300d021de07ef851251698bc6988b702a6f64b

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 28bafa4..698d68f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -165,6 +165,7 @@
 		"adaptive_auth":       EXCEPTION_NO_FUZZER,
 		"adb":                 EXCEPTION_NO_FUZZER,
 		"adservices_manager":  EXCEPTION_NO_FUZZER,
+		"advanced_protection": EXCEPTION_NO_FUZZER,
 		"aidl_lazy_test_1":    EXCEPTION_NO_FUZZER,
 		"aidl_lazy_test_2":    EXCEPTION_NO_FUZZER,
 		"aidl_lazy_test_quit": EXCEPTION_NO_FUZZER,

diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 1606502..787531a 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil

@@ -19,4 +19,5 @@
     virtual_fingerprint_exec
     virtual_face
     virtual_face_exec
+    advanced_protection_service
   ))

diff --git a/private/service_contexts b/private/service_contexts
index aec4213..7c3efc7 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -146,6 +146,9 @@
 adaptive_auth                             u:object_r:adaptive_auth_service:s0
 adb                                       u:object_r:adb_service:s0
 adservices_manager                        u:object_r:adservices_manager_service:s0
+starting_at_board_api(202504, `
+    advanced_protection                       u:object_r:advanced_protection_service:s0
+')
 aidl_lazy_test_1                          u:object_r:aidl_lazy_test_service:s0
 aidl_lazy_test_2                          u:object_r:aidl_lazy_test_service:s0
 aidl_lazy_test_quit                       u:object_r:aidl_lazy_test_service:s0

diff --git a/public/service.te b/public/service.te
index 663ca14..9d77fb9 100644
--- a/public/service.te
+++ b/public/service.te

@@ -66,6 +66,9 @@
 type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type adb_service, system_api_service, system_server_service, service_manager_type;
 type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+    type advanced_protection_service, app_api_service, system_server_service, service_manager_type;
+')
 type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type app_binding_service, system_server_service, service_manager_type;
 starting_at_board_api(202504, `