5c6a227ebb
Copy the final system sepolicy from oc-dev to its prebuilt dir corresponding to its version (26.0) so that we can uprev policy and start maintaining compatibility files, as well as use it for CTS tests targeting future platforms. Bug: 37896931 Test: none, this just copies the old policy. Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
34 lines
1 KiB
Text
34 lines
1 KiB
Text
type keystore, domain;
|
|
type keystore_exec, exec_type, file_type;
|
|
|
|
# keystore daemon
|
|
typeattribute keystore mlstrustedsubject;
|
|
binder_use(keystore)
|
|
binder_service(keystore)
|
|
binder_call(keystore, system_server)
|
|
|
|
allow keystore keystore_data_file:dir create_dir_perms;
|
|
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
|
allow keystore keystore_exec:file { getattr };
|
|
|
|
add_service(keystore, keystore_service)
|
|
allow keystore sec_key_att_app_id_provider_service:service_manager find;
|
|
|
|
# Check SELinux permissions.
|
|
selinux_check_access(keystore)
|
|
|
|
r_dir_file(keystore, cgroup)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### Protect ourself from others
|
|
###
|
|
|
|
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
|
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
neverallow { domain -keystore -init } keystore_data_file:dir *;
|
|
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
|
|
|
|
neverallow * keystore:process ptrace;
|