6fe344e350
HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.
This partially reverts the moving of rules out of gatekeeperd in
commit a9ce208680.
Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765
42 lines
1.3 KiB
Text
42 lines
1.3 KiB
Text
type gatekeeperd, domain;
|
|
type gatekeeperd_exec, exec_type, file_type;
|
|
|
|
# gatekeeperd
|
|
binder_service(gatekeeperd)
|
|
binder_use(gatekeeperd)
|
|
|
|
### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
|
|
### These rules should eventually be granted only when needed.
|
|
allow gatekeeperd tee_device:chr_file rw_file_perms;
|
|
allow gatekeeperd ion_device:chr_file r_file_perms;
|
|
# Load HAL implementation
|
|
allow gatekeeperd system_file:dir r_dir_perms;
|
|
###
|
|
|
|
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
|
|
### These rules should eventually be granted only when needed.
|
|
hwbinder_use(gatekeeperd)
|
|
###
|
|
|
|
# need to find KeyStore and add self
|
|
add_service(gatekeeperd, gatekeeper_service)
|
|
|
|
# Need to add auth tokens to KeyStore
|
|
use_keystore(gatekeeperd)
|
|
allow gatekeeperd keystore:keystore_key { add_auth };
|
|
|
|
# For permissions checking
|
|
allow gatekeeperd system_server:binder call;
|
|
allow gatekeeperd permission_service:service_manager find;
|
|
|
|
# For parent user ID lookup
|
|
allow gatekeeperd user_service:service_manager find;
|
|
|
|
# for SID file access
|
|
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
|
|
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
|
|
|
|
# For hardware properties retrieval
|
|
allow gatekeeperd hardware_properties_service:service_manager find;
|
|
|
|
r_dir_file(gatekeeperd, cgroup)
|