platform_system_sepolicy/private/keystore.te
Inseob Kim 75806ef3c5 Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-28 00:33:46 +00:00

101 lines
3.5 KiB
Text

typeattribute keystore coredomain;
init_daemon_domain(keystore)
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
# talk to keymint
hal_client_domain(keystore, hal_keymint)
# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
# access it.
# TODO(b/312427637): Investigate the reason and fix the denial.
dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
# Allow keystore to check rkpd feature flags
get_prop(keystore, device_config_remote_key_provisioning_native_prop)
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
# Allow keystore to listen to changing boot levels
get_prop(keystore, keystore_listen_prop)
# Keystore needs to transfer binder references to vold so that it
# can call keystore methods on those references.
allow keystore vold:binder transfer;
set_prop(keystore, keystore_crash_prop)
# keystore is using apex_info via libvintf
use_apex_info(keystore)
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, remote_provisioning_service_server)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
add_service(keystore, keystore_metrics_service)
add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
r_dir_file(keystore, cgroup_v2)
# The software KeyMint implementation used in km_compat needs
# to read the vendor security patch level.
get_prop(keystore, vendor_security_patch_level_prop);
# Allow keystore to read its vendor configuration
get_prop(keystore, keystore_config_prop)
###
### Neverallow rules
###
### Protect ourself from others
###
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
# system property, an exception is added for init as well.
neverallow { domain -keystore -init } keystore_crash_prop:property_service set;