From 9708912e275edfca34bcef65ccefce68e5953fa1 Mon Sep 17 00:00:00 2001 From: Yifei Qiao Date: Sat, 18 Jan 2020 10:17:31 +0800 Subject: [PATCH] [ALPS04700799] Align keymanager sepolicy with p0.mp6 Align keymanager sepolicy with p0.mp6 MTK-Commit-Id: 24a187bc32e2be7663abb880c07659834d71f4b0 Change-Id: Ia98525be2155dcf3261633d1e6c25a775426068d CR-Id: ALPS04700799 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK --- non_plat/device.te | 2 ++ non_plat/file.te | 6 +++- non_plat/file_contexts | 8 +++++ {plat_private => non_plat}/kisd.te | 3 +- plat_private/file_contexts | 4 --- plat_public/device.te | 2 -- plat_public/file.te | 4 --- plat_public/kisd.te | 9 ------ prebuilts/api/26.0/plat_private/file_contexts | 4 --- prebuilts/api/26.0/plat_private/kisd.te | 31 ------------------- prebuilts/api/26.0/plat_public/device.te | 6 ---- prebuilts/api/26.0/plat_public/file.te | 7 ----- prebuilts/api/26.0/plat_public/kisd.te | 9 ------ 13 files changed, 17 insertions(+), 78 deletions(-) rename {plat_private => non_plat}/kisd.te (93%) delete mode 100644 plat_public/kisd.te delete mode 100755 prebuilts/api/26.0/plat_private/kisd.te delete mode 100755 prebuilts/api/26.0/plat_public/device.te delete mode 100755 prebuilts/api/26.0/plat_public/file.te delete mode 100755 prebuilts/api/26.0/plat_public/kisd.te diff --git a/non_plat/device.te b/non_plat/device.te index adf47cc..ce0139a 100644 --- a/non_plat/device.te +++ b/non_plat/device.te @@ -230,6 +230,8 @@ type vbmeta_block_device, dev_type; type alarm_device, dev_type; type mdp_device, dev_type; type mrdump_device, dev_type; +type kb_block_device,dev_type; +type dkb_block_device,dev_type; ########################## # Sensor common Devices Start diff --git a/non_plat/file.te b/non_plat/file.te index 1026784..60fbd9c 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -357,6 +357,10 @@ type sysfs_power_off_vol, fs_type, sysfs_type; type sysfs_fg_disable, fs_type, sysfs_type; type sysfs_dis_nafg, fs_type, sysfs_type; +# drm key manager +type provision_file, file_type, data_file_type; +type key_install_data_file, file_type, data_file_type; + # Date : WK18.16 # Purpose: Android Migration type sysfs_mmcblk, fs_type, sysfs_type; @@ -367,4 +371,4 @@ type netd_socket, file_type, coredomain_socket; # Date : WK19.27 # Purpose: Android Migration for SVP -type proc_m4u, fs_type, proc_type; \ No newline at end of file +type proc_m4u, fs_type, proc_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 139247c..734452e 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -65,6 +65,7 @@ /data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0 +/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0 # Misc data #/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0 @@ -479,6 +480,12 @@ /dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0 /dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 +# Key manager +/dev/block/platform/bootdevice/by-name/kb u:object_r:kb_block_device:s0 +/dev/block/platform/bootdevice/by-name/dkb u:object_r:dkb_block_device:s0 +/dev/kb u:object_r:kb_block_device:s0 +/dev/dkb u:object_r:dkb_block_device:s0 + # W19.23 Q new feature - Userdata Checkpoint /dev/block/by-name/md_udc u:object_r:metadata_block_device:s0 @@ -549,6 +556,7 @@ /(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0 /(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0 /(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0 +/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0 /(system\/vendor|vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0 /(system\/vendor|vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0 diff --git a/plat_private/kisd.te b/non_plat/kisd.te similarity index 93% rename from plat_private/kisd.te rename to non_plat/kisd.te index 4a46812..b0ed180 100644 --- a/plat_private/kisd.te +++ b/non_plat/kisd.te @@ -6,6 +6,7 @@ # Type Declaration # ============================================== +type kisd ,domain; type kisd_exec, exec_type, file_type, vendor_file_type; typeattribute kisd mlstrustedsubject; @@ -18,7 +19,6 @@ init_daemon_domain(kisd) allow kisd tee_device:chr_file {read write open ioctl}; allow kisd provision_file:dir {read write open ioctl add_name search remove_name}; allow kisd provision_file:file {create read write open getattr unlink}; -#allow kisd system_file:file {execute_no_trans}; allow kisd block_device:dir {read write open ioctl search}; allow kisd kb_block_device:blk_file {read write open ioctl getattr}; allow kisd dkb_block_device:blk_file {read write open ioctl getattr}; @@ -26,6 +26,7 @@ allow kisd key_install_data_file:dir {write remove_name add_name}; allow kisd key_install_data_file:file {write getattr read create unlink open}; allow kisd key_install_data_file:dir search; allow kisd mtd_device:chr_file { open read write }; +allow kisd mtd_device:blk_file { open read write ioctl getattr}; allow kisd mtd_device:dir { search }; allow kisd kb_block_device:chr_file {read write open ioctl getattr}; allow kisd dkb_block_device:chr_file {read write open ioctl getattr}; diff --git a/plat_private/file_contexts b/plat_private/file_contexts index 1fb08ca..921783a 100644 --- a/plat_private/file_contexts +++ b/plat_private/file_contexts @@ -25,7 +25,6 @@ /system/bin/aee_aed u:object_r:aee_aed_exec:s0 /system/bin/aee_aed64 u:object_r:aee_aed_exec:s0 /system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0 -/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0 /system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0 # google suggest that move aee_aedv_exec to platform @google_issue_id:64130120 @@ -33,9 +32,6 @@ /(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 /vendor/bin/aeev u:object_r:aee_aedv_exec:s0 -# kisd for Key Manager -/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0 - # storagemanager daemon # it is used to mount all storages in meta/factory mode /system/bin/storagemanagerd u:object_r:vold_exec:s0 diff --git a/plat_public/device.te b/plat_public/device.te index 86cb28f..b87df4c 100644 --- a/plat_public/device.te +++ b/plat_public/device.te @@ -2,6 +2,4 @@ # MTK Policy Rule # ============================================== -type kb_block_device,dev_type; -type dkb_block_device,dev_type; type mtd_device, dev_type; diff --git a/plat_public/file.te b/plat_public/file.te index 705baed..0e572de 100644 --- a/plat_public/file.te +++ b/plat_public/file.te @@ -2,9 +2,5 @@ # MTK Policy Rule # ============================================== -#for drm key install -type provision_file, file_type, data_file_type; -type key_install_data_file, file_type, data_file_type; - # lbs debug file type lbs_dbg_data_file, file_type, data_file_type, core_data_file_type; diff --git a/plat_public/kisd.te b/plat_public/kisd.te deleted file mode 100644 index 40ae7e3..0000000 --- a/plat_public/kisd.te +++ /dev/null @@ -1,9 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/kisd Executable File - - -# ============================================== -# Type Declaration -# ============================================== - -type kisd ,domain; diff --git a/prebuilts/api/26.0/plat_private/file_contexts b/prebuilts/api/26.0/plat_private/file_contexts index 47caa62..dbc2923 100755 --- a/prebuilts/api/26.0/plat_private/file_contexts +++ b/prebuilts/api/26.0/plat_private/file_contexts @@ -22,7 +22,6 @@ /system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0 /system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0 /system/bin/meta_tst u:object_r:meta_tst_exec:s0 -/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0 /system/bin/pre_meta u:object_r:pre_meta_exec:s0 /system/bin/factory u:object_r:factory_exec:s0 @@ -30,9 +29,6 @@ /(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0 /(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 -# kisd for Key Manager -/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0 - # storagemanager daemon # it is used to mount all storages in meta/factory mode /system/bin/storagemanagerd u:object_r:storagemanagerd_exec:s0 diff --git a/prebuilts/api/26.0/plat_private/kisd.te b/prebuilts/api/26.0/plat_private/kisd.te deleted file mode 100755 index 4a46812..0000000 --- a/prebuilts/api/26.0/plat_private/kisd.te +++ /dev/null @@ -1,31 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/kisd Executable File - - -# ============================================== -# Type Declaration -# ============================================== - -type kisd_exec, exec_type, file_type, vendor_file_type; -typeattribute kisd mlstrustedsubject; - -# ============================================== -# MTK Policy Rule -# ============================================== - -init_daemon_domain(kisd) - -allow kisd tee_device:chr_file {read write open ioctl}; -allow kisd provision_file:dir {read write open ioctl add_name search remove_name}; -allow kisd provision_file:file {create read write open getattr unlink}; -#allow kisd system_file:file {execute_no_trans}; -allow kisd block_device:dir {read write open ioctl search}; -allow kisd kb_block_device:blk_file {read write open ioctl getattr}; -allow kisd dkb_block_device:blk_file {read write open ioctl getattr}; -allow kisd key_install_data_file:dir {write remove_name add_name}; -allow kisd key_install_data_file:file {write getattr read create unlink open}; -allow kisd key_install_data_file:dir search; -allow kisd mtd_device:chr_file { open read write }; -allow kisd mtd_device:dir { search }; -allow kisd kb_block_device:chr_file {read write open ioctl getattr}; -allow kisd dkb_block_device:chr_file {read write open ioctl getattr}; diff --git a/prebuilts/api/26.0/plat_public/device.te b/prebuilts/api/26.0/plat_public/device.te deleted file mode 100755 index c034b64..0000000 --- a/prebuilts/api/26.0/plat_public/device.te +++ /dev/null @@ -1,6 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -type kb_block_device,dev_type; -type dkb_block_device,dev_type; \ No newline at end of file diff --git a/prebuilts/api/26.0/plat_public/file.te b/prebuilts/api/26.0/plat_public/file.te deleted file mode 100755 index 751fb0f..0000000 --- a/prebuilts/api/26.0/plat_public/file.te +++ /dev/null @@ -1,7 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -#for drm key install -type provision_file, file_type, data_file_type; -type key_install_data_file, file_type, data_file_type; diff --git a/prebuilts/api/26.0/plat_public/kisd.te b/prebuilts/api/26.0/plat_public/kisd.te deleted file mode 100755 index 40ae7e3..0000000 --- a/prebuilts/api/26.0/plat_public/kisd.te +++ /dev/null @@ -1,9 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/kisd Executable File - - -# ============================================== -# Type Declaration -# ============================================== - -type kisd ,domain;