1# Helper process for compos to perform key derivation & signing 2type compos_key_helper, domain, coredomain; 3type compos_key_helper_exec, exec_type, file_type, system_file_type; 4 5# This domain has access to DICE secrets & the private signing key. 6# Block crash dumps to ensure the secrets are not leaked. 7typeattribute compos_key_helper no_crash_dump_domain; 8 9# Communicate with compos via stdin/stdout pipes 10allow compos_key_helper compos:fd use; 11allow compos_key_helper compos:fifo_file { getattr read write }; 12 13# Write to /dev/kmsg. 14allow compos_key_helper kmsg_device:chr_file rw_file_perms; 15 16# Communicate with microdroid manager to get DICE information 17unix_socket_connect(compos_key_helper, vm_payload_service, microdroid_manager) 18