commit f4382c5391d85a9d5482d337b805f6efbb688fbd
author Vikram Gaur <vikramgaur@google.com> Fri Sep 23 09:33:45 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Sep 23 09:33:45 2022 +0000
tree ca6ca33b2059620a4e2cdde7a814734347136bf1
parent e6da3b80d139d01ca36a96514dc0a0483b5dfc8d
parent d25c80a9511f842079be015c49eaa7358f24cd8c

Merge "Add SELinux policy changes for rkpd"

apex/Android.bp

diff --git a/apex/Android.bp b/apex/Android.bp
index 22b021f..bbe2193 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -279,3 +279,10 @@
     "com.android.healthconnect-file_contexts",
   ],
 }
+
+filegroup {
+  name: "com.android.rkpd-file_contexts",
+  srcs: [
+    "com.android.rkpd-file_contexts",
+  ],
+}

apex/com.android.rkpd-file_contexts

diff --git a/apex/com.android.rkpd-file_contexts b/apex/com.android.rkpd-file_contexts
new file mode 100644
index 0000000..4424c8a
--- /dev/null
+++ b/apex/com.android.rkpd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)?              u:object_r:system_file:s0
+/bin/rkpd           u:object_r:rkpd_exec:s0

build/soong/service_fuzzer_bindings.go

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index cee7f1c..822cabc 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -316,6 +316,8 @@
 		"resolver":                     []string{},
 		"resources":                    []string{},
 		"restrictions":                 []string{},
+		"rkpd.registrar":               []string{},
+		"rkpd.refresh":                 []string{},
 		"role":                         []string{},
 		"rollback":                     []string{},
 		"rttmanager":                   []string{},

private/rkpd.te

diff --git a/private/rkpd.te b/private/rkpd.te
new file mode 100644
index 0000000..d75638a
--- /dev/null
+++ b/private/rkpd.te
@@ -0,0 +1,15 @@
+# Policies for Remote Key Provisioning Daemon (rkpd)
+type rkpd, domain;
+type rkpd_exec, system_file_type, exec_type, file_type;
+
+typeattribute rkpd coredomain;
+
+binder_use(rkpd)
+binder_service(rkpd)
+
+init_daemon_domain(rkpd)
+
+add_service(rkpd, rkpd_registrar_service)
+add_service(rkpd, rkpd_refresh_service)
+
+

private/service.te

diff --git a/private/service.te b/private/service.te
index 1f407a6..84e39ae 100644
--- a/private/service.te
+++ b/private/service.te
@@ -10,6 +10,8 @@
 type mediatuner_service,            app_api_service, service_manager_type;
 type profcollectd_service,          service_manager_type;
 type resolver_service,              system_server_service, service_manager_type;
+type rkpd_registrar_service,        service_manager_type;
+type rkpd_refresh_service,          service_manager_type;
 type safety_center_service,         app_api_service, system_api_service, system_server_service, service_manager_type;
 type stats_service,                 service_manager_type;
 type statsbootstrap_service,        system_server_service, service_manager_type;

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 86b27f4..92f79c7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -301,6 +301,8 @@
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0
+rkpd.registrar                            u:object_r:rkpd_registrar_service:s0
+rkpd.refresh                              u:object_r:rkpd_refresh_service:s0
 role                                      u:object_r:role_service:s0
 rollback                                  u:object_r:rollback_service:s0
 rttmanager                                u:object_r:rttmanager_service:s0