1typeattribute keystore coredomain; 2 3init_daemon_domain(keystore) 4 5# talk to keymaster 6hal_client_domain(keystore, hal_keymaster) 7 8# talk to confirmationui 9hal_client_domain(keystore, hal_confirmationui) 10 11# talk to keymint 12hal_client_domain(keystore, hal_keymint) 13 14# This is used for the ConfirmationUI async callback. 15allow keystore platform_app:binder call; 16 17# Allow to check whether security logging is enabled. 18get_prop(keystore, device_logging_prop) 19 20# Allow keystore to check if the system is rkp only. 21get_prop(keystore, remote_prov_prop) 22 23# Allow keystore to write to statsd. 24unix_socket_send(keystore, statsdw, statsd) 25 26# Keystore need access to the keystore_key context files to load the keystore key backend. 27allow keystore keystore2_key_contexts_file:file r_file_perms; 28 29get_prop(keystore, keystore_listen_prop) 30 31# Keystore needs to transfer binder references to vold so that it 32# can call keystore methods on those references. 33allow keystore vold:binder transfer; 34 35# Only keystore can set keystore.crash_count system property. Since init is allowed to set any 36# system property, an exception is added for init as well. 37set_prop(keystore, keystore_crash_prop) 38neverallow { domain -keystore -init } keystore_crash_prop:property_service set; 39