platform_system_sepolicy/gatekeeperd.te

type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;

# gatekeeperd
init_daemon_domain(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;

# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };

# Need to add auth tokens to KeyStore
allow gatekeeperd keystore_service:service_manager find;
binder_call(gatekeeperd, keystore)
allow gatekeeperd keystore:keystore_key { add_auth };

# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;

neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
neverallow { domain -system_server } gatekeeperd:binder call;