platform_system_sepolicy/gatekeeperd.te

type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;

# gatekeeperd
init_daemon_domain(gatekeeperd)
binder_service(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;

# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };

# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };

# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;

# for SID file access
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;

neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`type gatekeeperd, domain;`
			`type gatekeeperd_exec, exec_type, file_type;`

			`# gatekeeperd`
			`init_daemon_domain(gatekeeperd)`
Expand access to gatekeeperd. This enables access to gatekeeperd for anybody who invokes Android framework APIs. This is necessary because the AndroidKeyStore abstraction offered by the framework API occasionally communicates with gatekeeperd from the calling process. Bug: 20526234 Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747 2015-04-29 01:51:26 +02:00			`binder_service(gatekeeperd)`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`binder_use(gatekeeperd)`
			`allow gatekeeperd tee_device:chr_file rw_file_perms;`

Allow gatekeeperd to check Android permissions Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5 2015-04-09 04:52:19 +02:00			`# need to find KeyStore and add self`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`allow gatekeeperd gatekeeper_service:service_manager { add find };`

Allow gatekeeperd to check Android permissions Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5 2015-04-09 04:52:19 +02:00			`# Need to add auth tokens to KeyStore`
Allow gatekeeperd to use keystore needs to call addAuthToken Change-Id: If519df61448f19dfafab254668c17eea6c161ea4 2015-04-13 21:21:08 +02:00			`use_keystore(gatekeeperd)`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`allow gatekeeperd keystore:keystore_key { add_auth };`

Allow gatekeeperd to check Android permissions Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5 2015-04-09 04:52:19 +02:00			`# For permissions checking`
			`allow gatekeeperd system_server:binder call;`
			`allow gatekeeperd permission_service:service_manager find;`

New rules for SID access Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e 2015-04-16 22:40:57 +02:00			`# for SID file access`
gatekeeperd: use more specific label for /data file Use a more specific label for /data/misc/gatekeeper Rearrange some other rules. Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5 2015-04-18 02:56:31 +02:00			`allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;`
			`allow gatekeeperd gatekeeper_data_file:file create_file_perms;`
New rules for SID access Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e 2015-04-16 22:40:57 +02:00
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;`