platform_system_sepolicy/private/hal_secretkeeper.te

# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
# storage of secrets guarded by DICE policies.
binder_call(hal_secretkeeper_client, hal_secretkeeper_server)

hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)

binder_use(hal_secretkeeper_server)
binder_use(hal_secretkeeper_client)

# The Secretkeeper HAL service needs to communicate with a trusted application running
# in the TEE, which is represented by the tee_device permission.
allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;
Secretkeeper/Sepolicy: Create required domains Add sepolicies rules for Secretkeeper HAL & nonsecure service implementing the AIDL. Test: atest VtsHalSkTargetTest & check for Selinux denials Bug: 293429085 Change-Id: I907cf326e48e4dc180aa0d30e644416d4936ff78 2023-08-22 02:15:39 +02:00			`# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)`
			`# storage of secrets guarded by DICE policies.`
			`binder_call(hal_secretkeeper_client, hal_secretkeeper_server)`

			`hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)`

			`binder_use(hal_secretkeeper_server)`
			`binder_use(hal_secretkeeper_client)`
Allow for ISecretkeeper/default Test: VtsAidlAuthGraphSessionTest Bug: 306364873 Change-Id: I788d6cd67c2b6dfa7b5f14bc66444d18e3fd35d3 2023-11-13 14:06:52 +01:00
			`# The Secretkeeper HAL service needs to communicate with a trusted application running`
			`# in the TEE, which is represented by the tee_device permission.`
			`allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;`