platform_system_sepolicy/public/gatekeeperd.te
Alex Klyubin 9e6b24c6a5 Annotate most remaining HALs with _client/_server
This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.

The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
  isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
  waiting for update_engine folks to answer a couple of questions
  which will let me refactor the policy of this HAL.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-16 19:55:16 -07:00

43 lines
1.3 KiB
Text

type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
binder_service(gatekeeperd)
binder_use(gatekeeperd)
### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
### These rules should eventually be granted only when needed.
allow gatekeeperd tee_device:chr_file rw_file_perms;
allow gatekeeperd ion_device:chr_file r_file_perms;
# Load HAL implementation
allow gatekeeperd system_file:dir r_dir_perms;
###
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
hwbinder_use(gatekeeperd)
hal_client_domain(gatekeeperd, hal_gatekeeper)
###
# need to find KeyStore and add self
add_service(gatekeeperd, gatekeeper_service)
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
# For parent user ID lookup
allow gatekeeperd user_service:service_manager find;
# for SID file access
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)