diff options
| author | qctecmdr <qctecmdr@localhost> | 2023-04-15 11:38:33 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2023-04-15 11:38:33 -0700 |
| commit | 7b53d7edc4ee956439dd3096c83b21f2dec2becb (patch) | |
| tree | e9885812584885ad040d1af64f6b5845a2ad3fdc | |
| parent | 8cf26a0d871ec91188e8d9b55eccd78c84f1df54 (diff) | |
| parent | df77b28fbfe7fd9ac1e257000c8cbb7d918c751b (diff) | |
Merge "SEPolicy: Add support for SPU Strongbox KeyMint"
| -rw-r--r-- | qva/vendor/common/file_contexts | 1 | ||||
| -rw-r--r-- | qva/vendor/common/hal_keymint_spu_qti.te | 71 |
2 files changed, 72 insertions, 0 deletions
diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts index 4e4402fb..6aaeae79 100644 --- a/qva/vendor/common/file_contexts +++ b/qva/vendor/common/file_contexts @@ -90,6 +90,7 @@ /vendor/bin/hw/android\.hardware\.keymaster@4\.1-strongbox-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0 /vendor/bin/hw/android\.hardware\.keymaster@4\.1-javacard.service u:object_r:hal_keymaster_default_exec:s0 /vendor/bin/init\.qti\.ese\.strongbox\.sh u:object_r:vendor_init-qti-ese-strongbox-sh_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service-spu-qti u:object_r:vendor_hal_keymint_spu_qti_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.strongbox u:object_r:vendor_hal_keymint_strongbox_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.strongbox-thales u:object_r:vendor_hal_keymint_strongbox_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.weaver@1\.0-service u:object_r:vendor_hal_weaver_default_exec:s0 diff --git a/qva/vendor/common/hal_keymint_spu_qti.te b/qva/vendor/common/hal_keymint_spu_qti.te new file mode 100644 index 00000000..df4e4308 --- /dev/null +++ b/qva/vendor/common/hal_keymint_spu_qti.te @@ -0,0 +1,71 @@ +# Copyright (c) 2023, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +type vendor_hal_keymint_spu_qti, domain; +hal_server_domain(vendor_hal_keymint_spu_qti, hal_keymint) +type vendor_hal_keymint_spu_qti_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(vendor_hal_keymint_spu_qti) + +# Read security level android property +get_prop(vendor_hal_keymint_strongbox, vendor_security_patch_level_prop); + +# Allow access to spss_utils device +allow vendor_hal_keymint_spu_qti vendor_spss_utils_device:chr_file rw_file_perms; + +# Allow access to spcom devices +allow vendor_hal_keymint_spu_qti vendor_spcom_device:chr_file rw_file_perms; +allow vendor_hal_keymint_spu_qti vendor_skp_device:chr_file rw_file_perms; + +# Allow read sysfs +allow vendor_hal_keymint_spu_qti vendor_sysfs_data:file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_sysfs_spdaemon:file r_file_perms; +r_dir_file(vendor_hal_keymint_spu_qti, vendor_sysfs_spss); + +# Allow set / get spcomlib prop +set_prop(vendor_hal_keymint_spu_qti, vendor_spcomlib_prop) + +# Allow access to HLOS<=>SPU share buffers +allow vendor_hal_keymint_spu_qti vendor_dmabuf_sp_hlos_heap_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_dmabuf_system_heap_device:chr_file r_file_perms; + +# Allow access to QSEE<=>SPU share buffers +allow vendor_hal_keymint_spu_qti vendor_dmabuf_secure_sp_tz_heap_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms; + +# Allow to access IAR-DB at /mnt/vendor/persist/iar_db +allow vendor_hal_keymint_spu_qti vendor_persist_iar_db_file:dir rw_dir_perms; +allow vendor_hal_keymint_spu_qti vendor_persist_iar_db_file:file create_file_perms; + +# Allow hyp_assign() for HLOS-SP share buffers (r_file_perms includes ioctl) +allow vendor_hal_keymint_spu_qti vendor_vm_hlos_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_vm_cp_spss_sp_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_vm_cp_spss_sp_shared_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_vm_cp_spss_hlos_shared_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_membuf_dev:chr_file r_file_perms; |