SELinux permissions for gatekeeper TEE proxy

sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e

dumpstate.te

@@ -107,7 +107,7 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
-allow dumpstate service_manager_type:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 service_manager_local_audit_domain(dumpstate)
 

file_contexts

@@ -147,6 +147,7 @@
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
 /system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
 /system/bin/wpa_supplicant	u:object_r:wpa_exec:s0

gatekeeperd.te

@@ -0,0 +1,15 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, exec_type, file_type;
+
+# gatekeeperd
+init_daemon_domain(gatekeeperd)
+binder_use(gatekeeperd)
+binder_service(gatekeeperd)
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+
+allow gatekeeperd gatekeeper_service:service_manager { add find };
+
+allow gatekeeperd keystore:keystore_key { add_auth };
+
+neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
+neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;

service.te

@@ -4,6 +4,7 @@ type drmserver_service,         service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
+type gatekeeper_service,        service_manager_type;
 type mediaserver_service,       service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;

service_contexts

@@ -3,6 +3,7 @@ account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
 assetatlas                                u:object_r:assetatlas_service:s0

shell.te

@@ -59,7 +59,8 @@ allow shell kernel:system syslog_read;
 
 # allow shell access to services
 allow shell servicemanager:service_manager list;
-allow shell service_manager_type:service_manager find;
+# don't allow shell to access GateKeeper service
+allow shell { service_manager_type -gatekeeper_service }:service_manager find;
 service_manager_local_audit_domain(shell)
 
 # allow shell to look through /proc/ for ps, top

system_server.te

@@ -360,6 +360,7 @@ allow system_server pstorefs:file r_file_perms;
 allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;