2020-07-25 22:02:29 +02:00
|
|
|
type keystore, domain, keystore2_key_type;
|
2018-09-27 19:21:37 +02:00
|
|
|
type keystore_exec, system_file_type, exec_type, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
|
|
|
|
# keystore daemon
|
2013-10-29 19:42:37 +01:00
|
|
|
typeattribute keystore mlstrustedsubject;
|
|
|
|
|
binder_use(keystore)
|
|
|
|
|
binder_service(keystore)
|
2016-06-03 20:36:41 +02:00
|
|
|
binder_call(keystore, system_server)
|
2020-01-16 19:17:20 +01:00
|
|
|
binder_call(keystore, wificond)
|
2017-01-28 00:00:27 +01:00
|
|
|
|
2013-10-29 19:42:37 +01:00
|
|
|
allow keystore keystore_data_file:dir create_dir_perms;
|
|
|
|
|
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
|
|
|
|
allow keystore keystore_exec:file { getattr };
|
2014-05-09 08:28:52 +02:00
|
|
|
|
2017-01-19 22:23:52 +01:00
|
|
|
add_service(keystore, keystore_service)
|
2016-06-03 20:36:41 +02:00
|
|
|
allow keystore sec_key_att_app_id_provider_service:service_manager find;
|
2018-04-05 04:00:40 +02:00
|
|
|
allow keystore dropbox_service:service_manager find;
|
2020-12-02 03:55:11 +01:00
|
|
|
add_service(keystore, apc_service)
|
2020-12-02 18:52:42 +01:00
|
|
|
add_service(keystore, keystore_compat_hal_service)
|
2015-03-13 21:42:42 +01:00
|
|
|
|
|
|
|
|
# Check SELinux permissions.
|
|
|
|
|
selinux_check_access(keystore)
|
|
|
|
|
|
2016-09-10 01:27:17 +02:00
|
|
|
r_dir_file(keystore, cgroup)
|
|
|
|
|
|
2014-05-09 08:28:52 +02:00
|
|
|
###
|
|
|
|
|
### Neverallow rules
|
|
|
|
|
###
|
2014-05-20 06:49:50 +02:00
|
|
|
### Protect ourself from others
|
2014-05-09 08:28:52 +02:00
|
|
|
###
|
|
|
|
|
|
2015-04-10 16:42:32 +02:00
|
|
|
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
2014-05-09 08:28:52 +02:00
|
|
|
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
|
|
2014-10-22 17:13:17 +02:00
|
|
|
neverallow { domain -keystore -init } keystore_data_file:dir *;
|
|
|
|
|
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
|
2014-05-20 06:49:50 +02:00
|
|
|
|
2016-02-05 23:48:03 +01:00
|
|
|
neverallow * keystore:process ptrace;
|
