75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
29 lines
959 B
Text
29 lines
959 B
Text
typeattribute credstore coredomain;
|
|
|
|
init_daemon_domain(credstore)
|
|
|
|
# talk to Identity Credential
|
|
hal_client_domain(credstore, hal_identity)
|
|
|
|
# talk to keymint, specifically for IRemotelyProvisionedComponent/default
|
|
hal_client_domain(credstore, hal_keymint)
|
|
|
|
# credstore needs to get keys from the RKPD
|
|
get_prop(credstore, remote_prov_prop)
|
|
allow credstore remote_provisioning_service:service_manager find;
|
|
|
|
binder_use(credstore)
|
|
binder_service(credstore)
|
|
binder_call(credstore, system_server)
|
|
|
|
allow credstore credstore_data_file:dir create_dir_perms;
|
|
allow credstore credstore_data_file:file create_file_perms;
|
|
|
|
add_service(credstore, credstore_service)
|
|
allow credstore sec_key_att_app_id_provider_service:service_manager find;
|
|
allow credstore dropbox_service:service_manager find;
|
|
allow credstore authorization_service:service_manager find;
|
|
allow credstore keystore:keystore2 get_auth_token;
|
|
|
|
r_dir_file(credstore, cgroup)
|
|
r_dir_file(credstore, cgroup_v2)
|