type keystore, domain, keystore2_key_type; type keystore_exec, system_file_type, exec_type, file_type; # keystore daemon typeattribute keystore mlstrustedsubject; binder_use(keystore) binder_service(keystore) binder_call(keystore, system_server) binder_call(keystore, wificond) allow keystore keystore_data_file:dir create_dir_perms; allow keystore keystore_data_file:notdevfile_class_set create_file_perms; allow keystore keystore_exec:file { getattr }; add_service(keystore, keystore_service) add_service(keystore, remotelyprovisionedkeypool_service) add_service(keystore, remoteprovisioning_service) allow keystore sec_key_att_app_id_provider_service:service_manager find; allow keystore dropbox_service:service_manager find; add_service(keystore, apc_service) add_service(keystore, keystore_compat_hal_service) add_service(keystore, authorization_service) add_service(keystore, keystore_maintenance_service) add_service(keystore, keystore_metrics_service) add_service(keystore, legacykeystore_service) # Check SELinux permissions. selinux_check_access(keystore) r_dir_file(keystore, cgroup) r_dir_file(keystore, cgroup_v2) ### ### Neverallow rules ### ### Protect ourself from others ### neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -keystore -init } keystore_data_file:dir *; neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; # TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?) neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace; # The software KeyMint implementation used in km_compat needs # to read the vendor security patch level. get_prop(keystore, vendor_security_patch_level_prop);