vendor/google/citadel_provision.te - device/google/coral-sepolicy - Git at Google

 type citadel_provision, domain;
 type citadel_provision_exec, exec_type, vendor_file_type, file_type;

 # Extra permissions for userdebug that allow lazy-provisioning of
 # keymaster preshared-keys, used for faceauth authtoken enforcement.
 # (i.e. for EVT devices that leave factory unprovisioned).
 userdebug_or_eng(`

 init_daemon_domain(citadel_provision)

 vndbinder_use(citadel_provision)
 binder_call(citadel_provision, citadeld)
 allow citadel_provision citadeld_service:service_manager find;
 hwbinder_use(citadel_provision)
 get_prop(citadel_provision, hwservicemanager_prop)
 allow citadel_provision hidl_manager_hwservice:hwservice_manager find;

 allow citadel_provision vndbinder_device:chr_file ioctl;
 allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl;
 allow citadel_provision ion_device:chr_file r_file_perms;
 allow citadel_provision tee_device:chr_file rw_file_perms;
 get_prop(citadel_provision, vendor_tee_listener_prop);

 ')
	type citadel_provision, domain;
	type citadel_provision_exec, exec_type, vendor_file_type, file_type;

	# Extra permissions for userdebug that allow lazy-provisioning of
	# keymaster preshared-keys, used for faceauth authtoken enforcement.
	# (i.e. for EVT devices that leave factory unprovisioned).
	userdebug_or_eng(`

	init_daemon_domain(citadel_provision)

	vndbinder_use(citadel_provision)
	binder_call(citadel_provision, citadeld)
	allow citadel_provision citadeld_service:service_manager find;
	hwbinder_use(citadel_provision)
	get_prop(citadel_provision, hwservicemanager_prop)
	allow citadel_provision hidl_manager_hwservice:hwservice_manager find;

	allow citadel_provision vndbinder_device:chr_file ioctl;
	allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl;
	allow citadel_provision ion_device:chr_file r_file_perms;
	allow citadel_provision tee_device:chr_file rw_file_perms;
	get_prop(citadel_provision, vendor_tee_listener_prop);

	')