tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/keystore.te
Janis Danisevskis 191940036b Add policy for the security compatibility hal service. 
This service manager is registered by Keystore 2.0 to lookup legacy
wrapper services.

Keystore 2.0 is now written in rust. We have AIDL binding for rust but
no HIDL binding. Keystore 2.0 has to support legacy HIDL based
interfaces. So we implement the AIDL KeyMint interface in terms of the
legacy HIDL Keymaster <=  V4.1 devices in C++. This wrapper is linked
into the Keystore 2.0 process but it cannot be called directly but must
be treated like a remote binder instead. However, we cannot register
these wrappers directly, because a) we are not a vendor component, and
b) it would conflict with genuine KeyMint devices on newer devices. So
Instead we register Keystore 2.0 itself as a legacy service provider.
Which it can query itself for the legacy wrappers if it does not find
a genuine KeyMint implementation to connect to.

Bug: 171351607
Test: Keystore 2.0 can register this Service and lookup legacy wrapper
      services.
Change-Id: I935f23837721ce126531236f4920dba469a47be4
2020-12-15 08:23:52 -08:00

38 lines
1.2 KiB
Text
Raw Blame History

type keystore, domain, keystore2_key_type;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
# Check SELinux permissions.
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
###
### Neverallow rules
###
### Protect ourself from others
###
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow * keystore:process ptrace;
Reference in a new issue View git blame Copy permalink