1type keystore, domain, keystore2_key_type; 2type keystore_exec, system_file_type, exec_type, file_type; 3 4# keystore daemon 5typeattribute keystore mlstrustedsubject; 6binder_use(keystore) 7binder_service(keystore) 8binder_call(keystore, system_server) 9binder_call(keystore, wificond) 10 11allow keystore keystore_data_file:dir create_dir_perms; 12allow keystore keystore_data_file:notdevfile_class_set create_file_perms; 13allow keystore keystore_exec:file { getattr }; 14 15add_service(keystore, keystore_service) 16add_service(keystore, remoteprovisioning_service) 17allow keystore sec_key_att_app_id_provider_service:service_manager find; 18allow keystore dropbox_service:service_manager find; 19add_service(keystore, apc_service) 20add_service(keystore, keystore_compat_hal_service) 21add_service(keystore, authorization_service) 22add_service(keystore, keystore_maintenance_service) 23add_service(keystore, keystore_metrics_service) 24add_service(keystore, legacykeystore_service) 25 26# Check SELinux permissions. 27selinux_check_access(keystore) 28 29r_dir_file(keystore, cgroup) 30r_dir_file(keystore, cgroup_v2) 31 32### 33### Neverallow rules 34### 35### Protect ourself from others 36### 37 38neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 39neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; 40 41neverallow { domain -keystore -init } keystore_data_file:dir *; 42neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; 43 44# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?) 45neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace; 46