From 9699b144cde8995f0a9bcf9648327ea7021780ca Mon Sep 17 00:00:00 2001 From: ChengYou Ho Date: Fri, 2 Sep 2022 17:33:52 +0000 Subject: [PATCH 1/3] Authsecret: install AIDL service Bug: 244746589 Change-Id: Ie7c57d8a16b1146225d84f510ce7817c4b81e772 --- dauntless/gsc.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk index a26644a..6770acb 100644 --- a/dauntless/gsc.mk +++ b/dauntless/gsc.mk @@ -6,6 +6,7 @@ PRODUCT_PACKAGES += \ citadeld \ citadel_updater \ android.hardware.weaver@1.0-service.citadel \ + android.hardware.authsecret-service.citadel \ android.hardware.identity@1.0-service.citadel \ init_citadel \ android.hardware.strongbox_keystore.xml \ From 182bdd6c086b2dc3934f2426c69a6c54fdae0650 Mon Sep 17 00:00:00 2001 From: ChengYou Ho Date: Mon, 12 Sep 2022 04:07:10 +0800 Subject: [PATCH 2/3] Add authsecret aidl hal sepolicy avc: denied { read } for comm="android.hardwar" name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 avc: denied { write } for comm="android.hardwar" name="vndbinder" dev="binder" ino=6 scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="android.hardwar" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for comm="android.hardwar" path="/dev/binderfs/vndbinder" dev="binder" ino=6 ioctlcmd=0x6209 scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 avc: denied { map } for comm="android.hardwar" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 avc: denied { call } for comm="android.hardwar" scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:r:vndservicemanager:s0 tclass=binder permissive=1 avc: denied { call } for comm="android.hardwar" scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 avc: denied { transfer } for comm="android.hardwar" scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 avc: denied { call } for comm="binder:1286_7" scontext=u:r:system_server:s0 tcontext=u:r:hal_authsecret_citadel:s0 tclass=binder permissive=1 avc: denied { ioctl } for comm="android.hardwar" path="/dev/binderfs/vndbinder" dev="binder" ino=6 ioctlcmd=0x6201 scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1 avc: denied { call } for comm="android.hardwar" scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:r:citadeld:s0 tclass=binder permissive=1 avc: denied { find } for pid=3023 uid=1064 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_authsecret_citadel:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=0 Bug: 244746589 Change-Id: I8d950329e057a2f806817384e6b00baf6f26efee --- dauntless/sepolicy/file_contexts | 1 + dauntless/sepolicy/hal_authsecret_citadel.te | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 dauntless/sepolicy/hal_authsecret_citadel.te diff --git a/dauntless/sepolicy/file_contexts b/dauntless/sepolicy/file_contexts index 80ff2ae..a1d382b 100644 --- a/dauntless/sepolicy/file_contexts +++ b/dauntless/sepolicy/file_contexts @@ -4,6 +4,7 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.authsecret-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 /vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 /vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 diff --git a/dauntless/sepolicy/hal_authsecret_citadel.te b/dauntless/sepolicy/hal_authsecret_citadel.te new file mode 100644 index 0000000..029d957 --- /dev/null +++ b/dauntless/sepolicy/hal_authsecret_citadel.te @@ -0,0 +1,9 @@ +type hal_authsecret_citadel, domain; +type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_authsecret_citadel) +binder_call(hal_authsecret_citadel, citadeld) +allow hal_authsecret_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_authsecret_citadel, hal_authsecret) +init_daemon_domain(hal_authsecret_citadel) From 035dd09274e2371e43a863fe0d98fa37e265bb42 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 8 Sep 2022 12:55:15 +0800 Subject: [PATCH 3/3] get bt permission xml to gs-common Bug: 242661555 Test: connect to bluetooth Change-Id: I65337866df5b2601da0e899b2e312dfac928bcb6 --- bcmbt/bluetooth.mk | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bcmbt/bluetooth.mk b/bcmbt/bluetooth.mk index fd41363..6615878 100644 --- a/bcmbt/bluetooth.mk +++ b/bcmbt/bluetooth.mk @@ -1,7 +1,11 @@ PRODUCT_SOONG_NAMESPACES += vendor/broadcom/bluetooth PRODUCT_PACKAGES += \ android.hardware.bluetooth@1.1-service.bcmbtlinux \ - bt_vendor.conf + bt_vendor.conf \ + android.hardware.bluetooth.prebuilt.xml \ + android.hardware.bluetooth_le.prebuilt.xml + + BOARD_SEPOLICY_DIRS += device/google/gs-common/bcmbt/sepolicy DEVICE_MANIFEST_FILE += device/google/gs-common/bcmbt/manifest_bluetooth.xml