1typeattribute keystore coredomain; 2 3init_daemon_domain(keystore) 4 5# talk to keymaster 6hal_client_domain(keystore, hal_keymaster) 7 8# talk to confirmationui 9hal_client_domain(keystore, hal_confirmationui) 10 11# talk to keymint 12hal_client_domain(keystore, hal_keymint) 13 14# This is used for the ConfirmationUI async callback. 15allow keystore platform_app:binder call; 16 17# Allow to check whether security logging is enabled. 18get_prop(keystore, device_logging_prop) 19 20# Allow keystore to check if the system is rkp only. 21get_prop(keystore, remote_prov_prop) 22 23# Allow keystore to check whether to post-process RKP certificates 24get_prop(keystore, remote_prov_cert_prop) 25 26# Allow keystore to check rkpd feature flags 27get_prop(keystore, device_config_remote_key_provisioning_native_prop) 28 29# Allow keystore to write to statsd. 30unix_socket_send(keystore, statsdw, statsd) 31 32# Keystore need access to the keystore2_key_contexts file to load the keystore key backend. 33allow keystore keystore2_key_contexts_file:file r_file_perms; 34 35# Allow keystore to listen to changing boot levels 36get_prop(keystore, keystore_listen_prop) 37 38# Keystore needs to transfer binder references to vold so that it 39# can call keystore methods on those references. 40allow keystore vold:binder transfer; 41 42set_prop(keystore, keystore_diagnostics_prop) 43 44# Allow keystore to monitor the `apexd.status` property. 45get_prop(keystore, apexd_prop) 46 47# keystore is using apex_info via libvintf 48use_apex_info(keystore) 49 50typeattribute keystore mlstrustedsubject; 51binder_use(keystore) 52binder_service(keystore) 53binder_call(keystore, remote_provisioning_service_server) 54binder_call(keystore, rkp_cert_processor) 55binder_call(keystore, system_server) 56binder_call(keystore, wificond) 57 58allow keystore keystore_data_file:dir create_dir_perms; 59allow keystore keystore_data_file:notdevfile_class_set create_file_perms; 60allow keystore keystore_exec:file { getattr }; 61 62add_service(keystore, keystore_service) 63allow keystore sec_key_att_app_id_provider_service:service_manager find; 64allow keystore remote_provisioning_service:service_manager find; 65allow keystore rkp_cert_processor_service:service_manager find; 66 67# Allow keystore to communicate to apexd 68allow keystore apex_service:service_manager find; 69allow keystore apexd:binder call; 70 71add_service(keystore, apc_service) 72add_service(keystore, keystore_compat_hal_service) 73add_service(keystore, authorization_service) 74add_service(keystore, keystore_maintenance_service) 75add_service(keystore, keystore_metrics_service) 76add_service(keystore, legacykeystore_service) 77 78# Check SELinux permissions. 79selinux_check_access(keystore) 80 81r_dir_file(keystore, cgroup) 82r_dir_file(keystore, cgroup_v2) 83 84# The software KeyMint implementation used in km_compat needs 85# to read the vendor security patch level. 86get_prop(keystore, vendor_security_patch_level_prop); 87 88# Allow keystore to read its vendor configuration 89get_prop(keystore, keystore_config_prop) 90 91### 92### Neverallow rules 93### 94### Protect ourself from others 95### 96 97neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 98neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; 99 100neverallow { domain -keystore -init } keystore_data_file:dir *; 101neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; 102 103neverallow * keystore:process ptrace; 104 105# Only keystore can set keystore_diagnostics_prop system properties. Since init is allowed to set 106# any system property, an exception is added for init as well. 107neverallow { domain -keystore -init } keystore_diagnostics_prop:property_service set; 108