public/keystore.te - platform/system/sepolicy - Git at Google

 type keystore, domain, keystore2_key_type;
 type keystore_exec, system_file_type, exec_type, file_type;

 # keystore daemon
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)

 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

 add_service(keystore, keystore_service)
 add_service(keystore, remotelyprovisionedkeypool_service)
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
 add_service(keystore, keystore_maintenance_service)
 add_service(keystore, keystore_metrics_service)
 add_service(keystore, legacykeystore_service)

 # Check SELinux permissions.
 selinux_check_access(keystore)

 r_dir_file(keystore, cgroup)
 r_dir_file(keystore, cgroup_v2)

 ###
 ### Neverallow rules
 ###
 ### Protect ourself from others
 ###

 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };

 neverallow { domain -keystore -init } keystore_data_file:dir *;
 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

 # TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
 neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;

 # The software KeyMint implementation used in km_compat needs
 # to read the vendor security patch level.
 get_prop(keystore, vendor_security_patch_level_prop);
	type keystore, domain, keystore2_key_type;
	type keystore_exec, system_file_type, exec_type, file_type;

	# keystore daemon
	typeattribute keystore mlstrustedsubject;
	binder_use(keystore)
	binder_service(keystore)
	binder_call(keystore, system_server)
	binder_call(keystore, wificond)

	allow keystore keystore_data_file:dir create_dir_perms;
	allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
	allow keystore keystore_exec:file { getattr };

	add_service(keystore, keystore_service)
	add_service(keystore, remotelyprovisionedkeypool_service)
	add_service(keystore, remoteprovisioning_service)
	allow keystore sec_key_att_app_id_provider_service:service_manager find;
	allow keystore dropbox_service:service_manager find;
	add_service(keystore, apc_service)
	add_service(keystore, keystore_compat_hal_service)
	add_service(keystore, authorization_service)
	add_service(keystore, keystore_maintenance_service)
	add_service(keystore, keystore_metrics_service)
	add_service(keystore, legacykeystore_service)

	# Check SELinux permissions.
	selinux_check_access(keystore)

	r_dir_file(keystore, cgroup)
	r_dir_file(keystore, cgroup_v2)

	###
	### Neverallow rules
	###
	### Protect ourself from others
	###

	neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
	neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };

	neverallow { domain -keystore -init } keystore_data_file:dir *;
	neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

	# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
	neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;

	# The software KeyMint implementation used in km_compat needs
	# to read the vendor security patch level.
	get_prop(keystore, vendor_security_patch_level_prop);