e8acd7695b
This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.
IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.
Test: Run keystore CTS tests
Bug: 32020919
(cherry picked from commit 5090d6f324)
Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19
41 lines
1.3 KiB
Text
41 lines
1.3 KiB
Text
type keystore, domain, domain_deprecated;
|
|
type keystore_exec, exec_type, file_type;
|
|
|
|
# keystore daemon
|
|
typeattribute keystore mlstrustedsubject;
|
|
binder_use(keystore)
|
|
binder_service(keystore)
|
|
binder_call(keystore, system_server)
|
|
|
|
# talk to keymaster
|
|
binder_call(keystore, hwservicemanager)
|
|
binder_call(keystore, hal_keymaster)
|
|
|
|
allow keystore keystore_data_file:dir create_dir_perms;
|
|
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
|
allow keystore keystore_exec:file { getattr };
|
|
allow keystore tee_device:chr_file rw_file_perms;
|
|
allow keystore tee:unix_stream_socket connectto;
|
|
|
|
add_service(keystore, keystore_service)
|
|
allow keystore sec_key_att_app_id_provider_service:service_manager find;
|
|
|
|
# Check SELinux permissions.
|
|
selinux_check_access(keystore)
|
|
|
|
allow keystore ion_device:chr_file r_file_perms;
|
|
r_dir_file(keystore, cgroup)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### Protect ourself from others
|
|
###
|
|
|
|
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
|
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
neverallow { domain -keystore -init } keystore_data_file:dir *;
|
|
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
|
|
|
|
neverallow * keystore:process ptrace;
|