effcac7d7e
This enables access to gatekeeperd for anybody who invokes Android framework APIs. This is necessary because the AndroidKeyStore abstraction offered by the framework API occasionally communicates with gatekeeperd from the calling process. Bug: 20526234 Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
25 lines
798 B
Text
25 lines
798 B
Text
type gatekeeperd, domain;
|
|
type gatekeeperd_exec, exec_type, file_type;
|
|
|
|
# gatekeeperd
|
|
init_daemon_domain(gatekeeperd)
|
|
binder_service(gatekeeperd)
|
|
binder_use(gatekeeperd)
|
|
allow gatekeeperd tee_device:chr_file rw_file_perms;
|
|
|
|
# need to find KeyStore and add self
|
|
allow gatekeeperd gatekeeper_service:service_manager { add find };
|
|
|
|
# Need to add auth tokens to KeyStore
|
|
use_keystore(gatekeeperd)
|
|
allow gatekeeperd keystore:keystore_key { add_auth };
|
|
|
|
# For permissions checking
|
|
allow gatekeeperd system_server:binder call;
|
|
allow gatekeeperd permission_service:service_manager find;
|
|
|
|
# for SID file access
|
|
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
|
|
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
|
|
|
|
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
|