| type keystore, domain; |
| type keystore_exec, exec_type, file_type; |
| |
| # keystore daemon |
| typeattribute keystore mlstrustedsubject; |
| binder_use(keystore) |
| binder_service(keystore) |
| binder_call(keystore, system_server) |
| |
| allow keystore keystore_data_file:dir create_dir_perms; |
| allow keystore keystore_data_file:notdevfile_class_set create_file_perms; |
| allow keystore keystore_exec:file { getattr }; |
| |
| add_service(keystore, keystore_service) |
| allow keystore sec_key_att_app_id_provider_service:service_manager find; |
| allow keystore dropbox_service:service_manager find; |
| |
| # Check SELinux permissions. |
| selinux_check_access(keystore) |
| |
| r_dir_file(keystore, cgroup) |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### Protect ourself from others |
| ### |
| |
| neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; |
| neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; |
| |
| neverallow { domain -keystore -init } keystore_data_file:dir *; |
| neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; |
| |
| neverallow * keystore:process ptrace; |