microdroid/system/private/compos_key_helper.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Helper process for compos to perform key derivation & signing
 type compos_key_helper, domain, coredomain;
 type compos_key_helper_exec, exec_type, file_type, system_file_type;

 # This domain has access to DICE secrets & the private signing key.
 # Block crash dumps to ensure the secrets are not leaked.
 typeattribute compos_key_helper no_crash_dump_domain;

 # Communicate with compos via stdin/stdout pipes
 allow compos_key_helper compos:fd use;
 allow compos_key_helper compos:fifo_file { getattr read write };

 # Write to /dev/kmsg.
 allow compos_key_helper kmsg_device:chr_file rw_file_perms;

 # Communicate with microdroid manager to get DICE information
 unix_socket_connect(compos_key_helper, vm_payload_service, microdroid_manager)
	# Helper process for compos to perform key derivation & signing
	type compos_key_helper, domain, coredomain;
	type compos_key_helper_exec, exec_type, file_type, system_file_type;

	# This domain has access to DICE secrets & the private signing key.
	# Block crash dumps to ensure the secrets are not leaked.
	typeattribute compos_key_helper no_crash_dump_domain;

	# Communicate with compos via stdin/stdout pipes
	allow compos_key_helper compos:fd use;
	allow compos_key_helper compos:fifo_file { getattr read write };

	# Write to /dev/kmsg.
	allow compos_key_helper kmsg_device:chr_file rw_file_perms;

	# Communicate with microdroid manager to get DICE information
	unix_socket_connect(compos_key_helper, vm_payload_service, microdroid_manager)