Preliminary policy for hal_keymaster (TREBLE)
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.
IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.
Test: Run keystore CTS tests
Bug: 32020919
(cherry picked from commit 5090d6f3241ffbd96f5a0b24df602bd2559f3cf4)
Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
diff --git a/public/attributes b/public/attributes
index 4822ed5..368af4f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -131,6 +131,7 @@
attribute hal_graphics_composer;
attribute hal_health;
attribute hal_ir;
+attribute hal_keymaster;
attribute hal_light;
attribute hal_memtrack;
attribute hal_nfc;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
new file mode 100644
index 0000000..a3aef59
--- /dev/null
+++ b/public/hal_keymaster.te
@@ -0,0 +1,7 @@
+# hwbinder access
+hwbinder_use(hal_keymaster)
+
+allow hal_keymaster tee_device:chr_file rw_file_perms;
+allow hal_keymaster tee:unix_stream_socket connectto;
+
+allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/keystore.te b/public/keystore.te
index 457ff37..4dd65eb 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -6,6 +6,11 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
+
+# talk to keymaster
+binder_call(keystore, hwservicemanager)
+binder_call(keystore, hal_keymaster)
+
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/vold.te b/public/vold.te
index 798d542..dc8ca41 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -130,6 +130,8 @@
binder_call(vold, healthd)
# talk to keymaster
+binder_call(vold, hwservicemanager)
+binder_call(vold, hal_keymaster)
allow vold tee_device:chr_file rw_file_perms;
# Access userdata block device.