diff options
| author | Liron Daniel <quic_lirond@quicinc.com> | 2023-02-10 00:50:23 +0200 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2023-04-12 22:28:39 -0700 |
| commit | df77b28fbfe7fd9ac1e257000c8cbb7d918c751b (patch) | |
| tree | 004acea5f95f52ba5bf82f5c13ce739b27b67ed3 | |
| parent | ab368ccb193269fb391ab330d0416dc3a66effd8 (diff) | |
SEPolicy: Add support for SPU Strongbox KeyMint
Add SEPolicy rules for SPU Strongbox KeyMint service.
Change-Id: Icb8721f0bc5b9d4063fa8b80a17540b1fdf84169
| -rw-r--r-- | qva/vendor/common/file_contexts | 1 | ||||
| -rw-r--r-- | qva/vendor/common/hal_keymint_spu_qti.te | 71 |
2 files changed, 72 insertions, 0 deletions
diff --git a/qva/vendor/common/file_contexts b/qva/vendor/common/file_contexts index 4e4402fb..6aaeae79 100644 --- a/qva/vendor/common/file_contexts +++ b/qva/vendor/common/file_contexts @@ -90,6 +90,7 @@ /vendor/bin/hw/android\.hardware\.keymaster@4\.1-strongbox-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0 /vendor/bin/hw/android\.hardware\.keymaster@4\.1-javacard.service u:object_r:hal_keymaster_default_exec:s0 /vendor/bin/init\.qti\.ese\.strongbox\.sh u:object_r:vendor_init-qti-ese-strongbox-sh_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service-spu-qti u:object_r:vendor_hal_keymint_spu_qti_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.strongbox u:object_r:vendor_hal_keymint_strongbox_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.strongbox-thales u:object_r:vendor_hal_keymint_strongbox_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.weaver@1\.0-service u:object_r:vendor_hal_weaver_default_exec:s0 diff --git a/qva/vendor/common/hal_keymint_spu_qti.te b/qva/vendor/common/hal_keymint_spu_qti.te new file mode 100644 index 00000000..df4e4308 --- /dev/null +++ b/qva/vendor/common/hal_keymint_spu_qti.te @@ -0,0 +1,71 @@ +# Copyright (c) 2023, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-3-Clause-Clear + +type vendor_hal_keymint_spu_qti, domain; +hal_server_domain(vendor_hal_keymint_spu_qti, hal_keymint) +type vendor_hal_keymint_spu_qti_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(vendor_hal_keymint_spu_qti) + +# Read security level android property +get_prop(vendor_hal_keymint_strongbox, vendor_security_patch_level_prop); + +# Allow access to spss_utils device +allow vendor_hal_keymint_spu_qti vendor_spss_utils_device:chr_file rw_file_perms; + +# Allow access to spcom devices +allow vendor_hal_keymint_spu_qti vendor_spcom_device:chr_file rw_file_perms; +allow vendor_hal_keymint_spu_qti vendor_skp_device:chr_file rw_file_perms; + +# Allow read sysfs +allow vendor_hal_keymint_spu_qti vendor_sysfs_data:file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_sysfs_spdaemon:file r_file_perms; +r_dir_file(vendor_hal_keymint_spu_qti, vendor_sysfs_spss); + +# Allow set / get spcomlib prop +set_prop(vendor_hal_keymint_spu_qti, vendor_spcomlib_prop) + +# Allow access to HLOS<=>SPU share buffers +allow vendor_hal_keymint_spu_qti vendor_dmabuf_sp_hlos_heap_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_dmabuf_system_heap_device:chr_file r_file_perms; + +# Allow access to QSEE<=>SPU share buffers +allow vendor_hal_keymint_spu_qti vendor_dmabuf_secure_sp_tz_heap_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms; + +# Allow to access IAR-DB at /mnt/vendor/persist/iar_db +allow vendor_hal_keymint_spu_qti vendor_persist_iar_db_file:dir rw_dir_perms; +allow vendor_hal_keymint_spu_qti vendor_persist_iar_db_file:file create_file_perms; + +# Allow hyp_assign() for HLOS-SP share buffers (r_file_perms includes ioctl) +allow vendor_hal_keymint_spu_qti vendor_vm_hlos_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_vm_cp_spss_sp_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_vm_cp_spss_sp_shared_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_vm_cp_spss_hlos_shared_device:chr_file r_file_perms; +allow vendor_hal_keymint_spu_qti vendor_membuf_dev:chr_file r_file_perms; |