platform_system_sepolicy/public/keystore.te
Nick Kralevich 5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00

35 lines
1.1 KiB
Text

type keystore, domain;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
# Check SELinux permissions.
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
###
### Neverallow rules
###
### Protect ourself from others
###
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow * keystore:process ptrace;