platform_system_sepolicy/keystore.te

type keystore, domain;
type keystore_exec, exec_type, file_type;

# keystore daemon
init_daemon_domain(keystore)
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file rw_file_perms;
allow keystore tee:unix_stream_socket connectto;

allow keystore keystore_service:service_manager { add find };

# Check SELinux permissions.
selinux_check_access(keystore)

###
### Neverallow rules
###
### Protect ourself from others
###

neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };

neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

neverallow domain keystore:process ptrace;
SE Android policy. 2012-01-04 18:33:27 +01:00			`type keystore, domain;`
			`type keystore_exec, exec_type, file_type;`

			`# keystore daemon`
			`init_daemon_domain(keystore)`
Confine keystore, but leave it permissive for now. Change-Id: Ia92165478764b062e7e33e7741742f5ec8762ad9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:37 +01:00			`typeattribute keystore mlstrustedsubject;`
			`binder_use(keystore)`
			`binder_service(keystore)`
			`allow keystore keystore_data_file:dir create_dir_perms;`
			`allow keystore keystore_data_file:notdevfile_class_set create_file_perms;`
			`allow keystore keystore_exec:file { getattr };`
			`allow keystore tee_device:chr_file rw_file_perms;`
Allow keystore to talk to the tee On manta, the keystore CTS tests are failing, because keystore isn't allowed to talk to the tee. Allow it. I've only seen this bug on manta, but it seems appropriate for all domains. Fixes the following denial: <5>[ 286.249563] type=1400 audit(1389210059.924:6): avc: denied { connectto } for pid=126 comm="keystore" path=006D636461656D6F6E scontext=u:r:keystore:s0 tcontext=u:r:tee:s0 tclass=unix_stream_socket Bug: 12450710 Change-Id: I07133d9abeaf967392118ba478a5a391cf0c5fa5 2014-01-08 20:47:00 +01:00			`allow keystore tee:unix_stream_socket connectto;`
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf 2014-05-09 08:28:52 +02:00
Move allow rules before neverallow rules. There were a few instances where allow rules were appended after the neverallow rules stanza in the .te file. Also there were some regular allow rules inserted into the CTS-specific rules section of app.te. Just move the rules as appropriate. Should be no change in policy. Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 21:42:42 +01:00			`allow keystore keystore_service:service_manager { add find };`

			`# Check SELinux permissions.`
			`selinux_check_access(keystore)`

Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf 2014-05-09 08:28:52 +02:00			`###`
			`### Neverallow rules`
			`###`
Don't allow ptrace on keystore keystore may hold sensitive information in it's memory. Don't allow anyone to ptrace keystore. Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f 2014-05-20 06:49:50 +02:00			`### Protect ourself from others`
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf 2014-05-09 08:28:52 +02:00			`###`

New ext4enc kernel switching from xattrs to ioctl This is one of three changes to enable this functionality: https://android-review.googlesource.com/#/c/146259/ https://android-review.googlesource.com/#/c/146264/ https://android-review.googlesource.com/#/c/146265/ Bug: 18151196 Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa 2015-04-10 16:42:32 +02:00			`neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };`
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf 2014-05-09 08:28:52 +02:00			`neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };`

Remove -kernel -recovery from keystore_data_file neverallow. Aside from the keystore daemon itself, only init needs any access to keystore_data_file (in order to create and potentially restorecon /data/misc/keystore). The exceptions for the kernel and recovery domains are unnecessary; no allow rule permits this access in current policy. Change-Id: I5cf6f29ec08174017ac8f5fb36fef166ce360ca0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-10-22 17:13:17 +02:00			`neverallow { domain -keystore -init } keystore_data_file:dir *;`
			`neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;`
Don't allow ptrace on keystore keystore may hold sensitive information in it's memory. Don't allow anyone to ptrace keystore. Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f 2014-05-20 06:49:50 +02:00
			`neverallow domain keystore:process ptrace;`