platform_system_sepolicy/public/hal_secretkeeper.te

13 lines
562 B
Text
Raw Normal View History

# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
# storage of secrets guarded by DICE policies.
binder_call(hal_secretkeeper_client, hal_secretkeeper_server)
hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)
binder_use(hal_secretkeeper_server)
binder_use(hal_secretkeeper_client)
# The Secretkeeper HAL service needs to communicate with a trusted application running
# in the TEE, which is represented by the tee_device permission.
allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;