From effcac7d7eddded5fa31d294dfe3fd1757de51c7 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 28 Apr 2015 16:51:26 -0700
Subject: [PATCH] Expand access to gatekeeperd.

This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
---
 gatekeeperd.te   | 1 +
 service.te       | 2 +-
 untrusted_app.te | 4 ----
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/gatekeeperd.te b/gatekeeperd.te
index 39d9d210c..4d62ce4f7 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -3,6 +3,7 @@ type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
 init_daemon_domain(gatekeeperd)
+binder_service(gatekeeperd)
 binder_use(gatekeeperd)
 allow gatekeeperd tee_device:chr_file rw_file_perms;
 
diff --git a/service.te b/service.te
index da01071b5..3dfa296cf 100644
--- a/service.te
+++ b/service.te
@@ -1,10 +1,10 @@
 type bluetooth_service,         service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
+type gatekeeper_service,        app_api_service, service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
-type gatekeeper_service,        service_manager_type;
 type mediaserver_service,       service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
diff --git a/untrusted_app.te b/untrusted_app.te
index 1b7aaeefd..5ad8c79bd 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -93,10 +93,6 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
-# Apps using KeyStore API will request the SID from GateKeeper
-allow untrusted_app gatekeeper_service:service_manager find;
-binder_call(untrusted_app, gatekeeperd)
-
 ###
 ### neverallow rules
 ###