1typeattribute keystore coredomain; 2 3init_daemon_domain(keystore) 4 5# talk to keymaster 6hal_client_domain(keystore, hal_keymaster) 7 8# talk to confirmationui 9hal_client_domain(keystore, hal_confirmationui) 10 11# talk to keymint 12hal_client_domain(keystore, hal_keymint) 13 14# This is used for the ConfirmationUI async callback. 15allow keystore platform_app:binder call; 16 17# Allow to check whether security logging is enabled. 18get_prop(keystore, device_logging_prop) 19 20# Allow keystore to write to statsd. 21unix_socket_send(keystore, statsdw, statsd) 22 23# Keystore need access to the keystore_key context files to load the keystore key backend. 24allow keystore keystore2_key_contexts_file:file r_file_perms; 25 26get_prop(keystore, keystore_listen_prop) 27 28# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they 29# can call keystore methods on those references. 30allow keystore vold:binder transfer; 31allow keystore wait_for_keymaster:binder transfer; 32 33# Only keystore can set keystore.crash_count system property. Since init is allowed to set any 34# system property, an exception is added for init as well. 35set_prop(keystore, keystore_crash_prop) 36neverallow { domain -keystore -init } keystore_crash_prop:property_service set; 37