5c601a9ada
/dev/ut_keymaster is used by keymaster. Label it and allow relevant permissions
which domains using it (vold, tee and keymaster) requires.
Denial observed without this change:
[ 46.666247] .(2)[399:logd.auditd]type=1400 audit(1609128921.744:392): avc: denied { ioctl } for comm="keymaster@3.0-s" path="/dev/ut_keymaster" dev="tmpfs" ino=17464 ioctlcmd=0x5402 scontext=u:r:hal_keymaster_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
Test: Boot and notice that denial no longer appears
Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Iee0126d637a139397db8857d8a780277c3ea4576
20 lines
838 B
Plaintext
20 lines
838 B
Plaintext
type hal_keymaster_attestation, domain;
|
|
hal_server_domain(hal_keymaster_attestation, mtk_hal_keyattestation)
|
|
|
|
type hal_keymaster_attestation_exec, exec_type, vendor_file_type, file_type;
|
|
init_daemon_domain(hal_keymaster_attestation)
|
|
|
|
hwbinder_use(hal_keymaster_attestation);
|
|
|
|
#============= hal_keymaster_attestation ==============
|
|
allow hal_keymaster_attestation tee_device:chr_file { read write open ioctl };
|
|
|
|
# Date : WK17.42 2017/10/19
|
|
# Operation: Keymaster 3.0
|
|
# Purpose: Access attestation key in persist partition
|
|
allow hal_keymaster_attestation mnt_vendor_file:dir search;
|
|
allow hal_keymaster_attestation persist_data_file:dir { write search add_name };
|
|
allow hal_keymaster_attestation persist_data_file:file { write create open getattr };
|
|
|
|
allow hal_keymaster_attestation ut_keymaster_device:chr_file { read write ioctl open };
|