Add changes to bring up Keystore Certificate post processor.
Adds a system property which denotes the presence of a post processor.
Also adds the policies for the post processor service that is needed for
the processor to work correctly.
Test: manual check with test cert processor.
Bug: 361877215
Change-Id: I5feb0a250e2856189d5b4165187dcb415790e529
diff --git a/private/file_contexts b/private/file_contexts
index fa2fe3a..e26fb4e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -362,7 +362,8 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
-/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/system/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
+/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/private/keystore.te b/private/keystore.te
index 53e5dd3..44503a1 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,9 @@
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
+# Allow keystore to check whether to post-process RKP certificates
+get_prop(keystore, remote_prov_cert_prop)
+
# Allow keystore to check rkpd feature flags
get_prop(keystore, device_config_remote_key_provisioning_native_prop)
@@ -45,6 +48,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, remote_provisioning_service_server)
+binder_call(keystore, rkp_cert_processor)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
@@ -56,6 +60,8 @@
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
+allow keystore rkp_cert_processor_service:service_manager find;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/private/property.te b/private/property.te
index 8cc91e4..fb5251f 100644
--- a/private/property.te
+++ b/private/property.te
@@ -43,6 +43,7 @@
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(remote_prov_prop)
+system_internal_prop(remote_prov_cert_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapshotctl_prop)
@@ -783,6 +784,11 @@
} remote_prov_prop:property_service set;
neverallow {
+ domain
+ -init
+} remote_prov_cert_prop:property_service set;
+
+neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 13dff31..f7e81fd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1539,6 +1539,9 @@
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+# Support for post-processing RKP certificates
+remote_provisioning.use_cert_processor u:object_r:remote_prov_cert_prop:s0 exact bool
+
# Connection Timeout for remote provisioning step
remote_provisioning.connect_timeout_millis u:object_r:remote_prov_prop:s0 exact int
diff --git a/private/rkp_cert_processor.te b/private/rkp_cert_processor.te
new file mode 100644
index 0000000..578bd4c
--- /dev/null
+++ b/private/rkp_cert_processor.te
@@ -0,0 +1,12 @@
+# Cert processor service
+type rkp_cert_processor, domain, coredomain;
+type rkp_cert_processor_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(rkp_cert_processor)
+net_domain(rkp_cert_processor)
+
+binder_use(rkp_cert_processor)
+
+add_service(rkp_cert_processor, rkp_cert_processor_service)
+
+use_bootstrap_libs(rkp_cert_processor)
diff --git a/private/service.te b/private/service.te
index a4d00f3..1f31477 100644
--- a/private/service.te
+++ b/private/service.te
@@ -22,6 +22,7 @@
type resolver_service, system_server_service, service_manager_type;
type rkpd_registrar_service, service_manager_type;
type rkpd_refresh_service, service_manager_type;
+type rkp_cert_processor_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 7c3efc7..37652ae 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -399,6 +399,7 @@
restrictions u:object_r:restrictions_service:s0
rkpd.registrar u:object_r:rkpd_registrar_service:s0
rkpd.refresh u:object_r:rkpd_refresh_service:s0
+rkp_cert_processor.service u:object_r:rkp_cert_processor_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0