| type keystore, domain, domain_deprecated; |
| type keystore_exec, exec_type, file_type; |
| |
| # keystore daemon |
| init_daemon_domain(keystore) |
| typeattribute keystore mlstrustedsubject; |
| binder_use(keystore) |
| binder_service(keystore) |
| binder_call(keystore, system_server) |
| allow keystore keystore_data_file:dir create_dir_perms; |
| allow keystore keystore_data_file:notdevfile_class_set create_file_perms; |
| allow keystore keystore_exec:file { getattr }; |
| allow keystore tee_device:chr_file rw_file_perms; |
| allow keystore tee:unix_stream_socket connectto; |
| |
| allow keystore keystore_service:service_manager { add find }; |
| allow keystore sec_key_att_app_id_provider_service:service_manager find; |
| |
| # Check SELinux permissions. |
| selinux_check_access(keystore) |
| |
| allow keystore ion_device:chr_file r_file_perms; |
| r_dir_file(keystore, cgroup) |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### Protect ourself from others |
| ### |
| |
| neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; |
| neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; |
| |
| neverallow { domain -keystore -init } keystore_data_file:dir *; |
| neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; |
| |
| neverallow * keystore:process ptrace; |