Add SELinux policies for remote_key_provisioning_native namespace.
We need to separate out the feature flags in use by remote key
provisioning daemon (RKPD). For this, I have set up a new namespace
remote_key_provisioning_native. This change adds the SELinux policies to
make sure appropriate permissions are present when accessing the feature
flag for read/write.
Change-Id: I9e73a623f847a058b6236dd0aa370a7f9a9e6da7
Test: TreeHugger
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 64b595d..a26726d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -27,6 +27,7 @@
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
+set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/keystore.te b/private/keystore.te
index 8e681b1..b69477c 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,9 @@
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
+# Allow keystore to check rkpd feature flags
+get_prop(keystore, device_config_remote_key_provisioning_native_prop)
+
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/property.te b/private/property.te
index 61144be..cac04d3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -5,6 +5,7 @@
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_remote_key_provisioning_native_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 515c007..d1a4ecf 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -255,6 +255,7 @@
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.remote_key_provisioning_native. u:object_r:device_config_remote_key_provisioning_native_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
diff --git a/private/rkpd.te b/private/rkpd.te
index d75638a..45e3e8d 100644
--- a/private/rkpd.te
+++ b/private/rkpd.te
@@ -12,4 +12,4 @@
add_service(rkpd, rkpd_registrar_service)
add_service(rkpd, rkpd_refresh_service)
-
+get_prop(rkpd, device_config_remote_key_provisioning_native_prop)
diff --git a/private/system_server.te b/private/system_server.te
index eb1e46a..375158f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -755,6 +755,7 @@
set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
+set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
@@ -1288,6 +1289,7 @@
device_config_runtime_native_prop
device_config_media_native_prop
device_config_mglru_native_prop
+ device_config_remote_key_provisioning_native_prop
device_config_storage_native_boot_prop
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop