commit e1c49f55247353c714777c610dac52cd1f6e16be
author Vikram Gaur <vikramgaur@google.com> Thu Sep 29 21:20:22 2022 +0000
committer Vikram Gaur <vikramgaur@google.com> Thu Sep 29 21:32:58 2022 +0000
tree f7763907152be13b8a95c6964ac8da7bde18284a
parent 38292f168a6180a9ecf5b6d31bcec4a0187d2cbb

Add SELinux policies for remote_key_provisioning_native namespace.

We need to separate out the feature flags in use by remote key
provisioning daemon (RKPD). For this, I have set up a new namespace
remote_key_provisioning_native. This change adds the SELinux policies to
make sure appropriate permissions are present when accessing the feature
flag for read/write.

Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7
Test: TreeHugger

private/flags_health_check.te

diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 64b595d..a26726d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -27,6 +27,7 @@
 set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
 set_prop(flags_health_check, device_config_memory_safety_native_prop)
+set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a

private/keystore.te

diff --git a/private/keystore.te b/private/keystore.te
index 8e681b1..b69477c 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,9 @@
 # Allow keystore to check if the system is rkp only.
 get_prop(keystore, remote_prov_prop)
 
+# Allow keystore to check rkpd feature flags
+get_prop(keystore, device_config_remote_key_provisioning_native_prop)
+
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)
 

private/property.te

diff --git a/private/property.te b/private/property.te
index 61144be..cac04d3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -5,6 +5,7 @@
 system_internal_prop(device_config_lmkd_native_prop)
 system_internal_prop(device_config_mglru_native_prop)
 system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_remote_key_provisioning_native_prop)
 system_internal_prop(device_config_statsd_native_prop)
 system_internal_prop(device_config_statsd_native_boot_prop)
 system_internal_prop(device_config_storage_native_boot_prop)

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 515c007..d1a4ecf 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -255,6 +255,7 @@
 persist.device_config.netd_native.                  u:object_r:device_config_netd_native_prop:s0
 persist.device_config.nnapi_native.                 u:object_r:device_config_nnapi_native_prop:s0
 persist.device_config.profcollect_native_boot.      u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.remote_key_provisioning_native.  u:object_r:device_config_remote_key_provisioning_native_prop:s0
 persist.device_config.runtime_native.               u:object_r:device_config_runtime_native_prop:s0
 persist.device_config.runtime_native_boot.          u:object_r:device_config_runtime_native_boot_prop:s0
 persist.device_config.statsd_native.                u:object_r:device_config_statsd_native_prop:s0

private/rkpd.te

diff --git a/private/rkpd.te b/private/rkpd.te
index d75638a..45e3e8d 100644
--- a/private/rkpd.te
+++ b/private/rkpd.te
@@ -12,4 +12,4 @@
 add_service(rkpd, rkpd_registrar_service)
 add_service(rkpd, rkpd_refresh_service)
 
-
+get_prop(rkpd, device_config_remote_key_provisioning_native_prop)

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index eb1e46a..375158f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -755,6 +755,7 @@
 set_prop(system_server, device_config_vendor_system_native_boot_prop)
 set_prop(system_server, device_config_virtualization_framework_native_prop)
 set_prop(system_server, device_config_memory_safety_native_prop)
+set_prop(system_server, device_config_remote_key_provisioning_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)
 
 # Allow query ART device config properties
@@ -1288,6 +1289,7 @@
   device_config_runtime_native_prop
   device_config_media_native_prop
   device_config_mglru_native_prop
+  device_config_remote_key_provisioning_native_prop
   device_config_storage_native_boot_prop
   device_config_surface_flinger_native_boot_prop
   device_config_sys_traced_prop