# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
# storage of secrets guarded by DICE policies.
binder_call(hal_secretkeeper_client, hal_secretkeeper_server)

hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)

binder_use(hal_secretkeeper_server)
binder_use(hal_secretkeeper_client)

# The Secretkeeper HAL service needs to communicate with a trusted application running
# in the TEE, which is represented by the tee_device permission.
allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;