From 5c601a9ada9694d8cd00b45f3ca280fc9fe174e0 Mon Sep 17 00:00:00 2001
From: Aayush Gupta <aayushgupta219@gmail.com>
Date: Mon, 28 Dec 2020 12:07:12 +0530
Subject: [PATCH] non_plat: Label /dev/ut_keymaster and allow relevant
 permissions to sources

/dev/ut_keymaster is used by keymaster. Label it and allow relevant permissions
which domains using it (vold, tee and keymaster) requires.

Denial observed without this change:
[   46.666247] .(2)[399:logd.auditd]type=1400 audit(1609128921.744:392): avc: denied { ioctl } for comm="keymaster@3.0-s" path="/dev/ut_keymaster" dev="tmpfs" ino=17464 ioctlcmd=0x5402 scontext=u:r:hal_keymaster_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Test: Boot and notice that denial no longer appears

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Iee0126d637a139397db8857d8a780277c3ea4576
---
 non_plat/device.te                    | 3 +++
 non_plat/file_contexts                | 3 +++
 non_plat/hal_keymaster_attestation.te | 2 ++
 non_plat/hal_keymaster_default.te     | 1 +
 non_plat/tee.te                       | 1 +
 non_plat/vold.te                      | 2 ++
 6 files changed, 12 insertions(+)
 create mode 100644 non_plat/hal_keymaster_default.te
 create mode 100644 non_plat/tee.te

diff --git a/non_plat/device.te b/non_plat/device.te
index 9251874..460e4a2 100644
--- a/non_plat/device.te
+++ b/non_plat/device.te
@@ -274,3 +274,6 @@ type m_bio_misc_device, dev_type;
 type dri_device, dev_type, mlstrustedobject;
 
 type teei_fp_device, dev_type;
+
+# Keymaster
+type ut_keymaster_device, dev_type;
diff --git a/non_plat/file_contexts b/non_plat/file_contexts
index a6b19eb..69e990f 100644
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@@ -694,3 +694,6 @@
 
 # TEE
 /dev/teei_fp u:object_r:teei_fp_device:s0
+
+# Keymaster
+/dev/ut_keymaster u:object_r:ut_keymaster_device:s0
diff --git a/non_plat/hal_keymaster_attestation.te b/non_plat/hal_keymaster_attestation.te
index 35b9b71..eae2ddf 100644
--- a/non_plat/hal_keymaster_attestation.te
+++ b/non_plat/hal_keymaster_attestation.te
@@ -15,3 +15,5 @@ allow hal_keymaster_attestation tee_device:chr_file { read write open ioctl };
 allow hal_keymaster_attestation mnt_vendor_file:dir search;
 allow hal_keymaster_attestation persist_data_file:dir { write search add_name };
 allow hal_keymaster_attestation persist_data_file:file { write create open getattr };
+
+allow hal_keymaster_attestation ut_keymaster_device:chr_file { read write ioctl open };
diff --git a/non_plat/hal_keymaster_default.te b/non_plat/hal_keymaster_default.te
new file mode 100644
index 0000000..cc1dcda
--- /dev/null
+++ b/non_plat/hal_keymaster_default.te
@@ -0,0 +1 @@
+allow hal_keymaster_default ut_keymaster_device:chr_file { read write open ioctl};
diff --git a/non_plat/tee.te b/non_plat/tee.te
new file mode 100644
index 0000000..5a67df5
--- /dev/null
+++ b/non_plat/tee.te
@@ -0,0 +1 @@
+allow tee ut_keymaster_device:chr_file rw_file_perms;
diff --git a/non_plat/vold.te b/non_plat/vold.te
index 68081dc..1204cba 100644
--- a/non_plat/vold.te
+++ b/non_plat/vold.te
@@ -46,3 +46,5 @@ allow vold proc_swaps:file getattr;
 allow vold swap_block_device:blk_file getattr;
 
 allow vold sysfs_mmcblk:file rw_file_perms;
+
+allow vold ut_keymaster_device:chr_file { read write open ioctl};