platform_system_sepolicy/public/gatekeeperd.te

type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;

# gatekeeperd
binder_service(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
allow gatekeeperd ion_device:chr_file r_file_perms;

# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };

# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };

# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
# For parent user ID lookup
allow gatekeeperd user_service:service_manager find;

# for SID file access
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;

# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;

r_dir_file(gatekeeperd, cgroup)

neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
gatekeeperd: remove domain_deprecated attribute Test: builds/boots on Angler. No "granted" messages for the removed permissions observed in three months of log audits. Bug: 28760354 Change-Id: I0a6363f094c41392469f438c4399c93ed53fb5ac 2016-10-02 05:47:01 +02:00			`type gatekeeperd, domain;`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`type gatekeeperd_exec, exec_type, file_type;`

			`# gatekeeperd`
Expand access to gatekeeperd. This enables access to gatekeeperd for anybody who invokes Android framework APIs. This is necessary because the AndroidKeyStore abstraction offered by the framework API occasionally communicates with gatekeeperd from the calling process. (cherry picked from commit effcac7d7eddded5fa31d294dfe3fd1757de51c7) Bug: 20526234 Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13 2015-04-29 01:51:26 +02:00			`binder_service(gatekeeperd)`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`binder_use(gatekeeperd)`
			`allow gatekeeperd tee_device:chr_file rw_file_perms;`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`allow gatekeeperd ion_device:chr_file r_file_perms;`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00
Allow gatekeeperd to check Android permissions Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5 2015-04-09 04:52:19 +02:00			`# need to find KeyStore and add self`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`allow gatekeeperd gatekeeper_service:service_manager { add find };`

Allow gatekeeperd to check Android permissions Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5 2015-04-09 04:52:19 +02:00			`# Need to add auth tokens to KeyStore`
Allow gatekeeperd to use keystore needs to call addAuthToken Change-Id: If519df61448f19dfafab254668c17eea6c161ea4 2015-04-13 21:21:08 +02:00			`use_keystore(gatekeeperd)`
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`allow gatekeeperd keystore:keystore_key { add_auth };`

Allow gatekeeperd to check Android permissions Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5 2015-04-09 04:52:19 +02:00			`# For permissions checking`
			`allow gatekeeperd system_server:binder call;`
			`allow gatekeeperd permission_service:service_manager find;`
[gatekeeperd] allow calls to UserManagerService Bug: 22257554 Change-Id: Ifaf36930bf301708c196f7bd0530abe82c1e0b50 2015-08-05 02:42:22 +02:00			`# For parent user ID lookup`
			`allow gatekeeperd user_service:service_manager find;`
Allow gatekeeperd to check Android permissions Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5 2015-04-09 04:52:19 +02:00
New rules for SID access Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e 2015-04-16 22:40:57 +02:00			`# for SID file access`
gatekeeperd: use more specific label for /data file Use a more specific label for /data/misc/gatekeeper Rearrange some other rules. Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5 2015-04-18 02:56:31 +02:00			`allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;`
			`allow gatekeeperd gatekeeper_data_file:file create_file_perms;`
New rules for SID access Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e 2015-04-16 22:40:57 +02:00
Allow gatekeeper to find hardwareproperties service. Bug: 26945055 Change-Id: I5745d02be9889f6a0e02de12bd8d8f2808de9ce0 2016-02-12 20:21:06 +01:00			`# For hardware properties retrieval`
Renamed hardwareproperties to hardware_properties Bug: 27531271 Change-Id: I3c5eee86d09696373ab155f93ba6c85da224cb51 2016-03-09 18:13:11 +01:00			`allow gatekeeperd hardware_properties_service:service_manager find;`
Allow gatekeeper to find hardwareproperties service. Bug: 26945055 Change-Id: I5745d02be9889f6a0e02de12bd8d8f2808de9ce0 2016-02-12 20:21:06 +01:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`r_dir_file(gatekeeperd, cgroup)`

SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e 2015-04-04 01:46:33 +02:00			`neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;`