f90c41f6e8
Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
29 lines
1 KiB
Text
29 lines
1 KiB
Text
type keystore, domain;
|
|
type keystore_exec, exec_type, file_type;
|
|
|
|
# keystore daemon
|
|
init_daemon_domain(keystore)
|
|
typeattribute keystore mlstrustedsubject;
|
|
binder_use(keystore)
|
|
binder_service(keystore)
|
|
allow keystore keystore_data_file:dir create_dir_perms;
|
|
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
|
allow keystore keystore_exec:file { getattr };
|
|
allow keystore tee_device:chr_file rw_file_perms;
|
|
allow keystore tee:unix_stream_socket connectto;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### Protect ourself from others
|
|
###
|
|
|
|
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
|
|
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
|
|
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
|
|
|
|
neverallow domain keystore:process ptrace;
|
|
|
|
allow keystore keystore_service:service_manager add;
|