| typeattribute keystore coredomain; |
| |
| init_daemon_domain(keystore) |
| |
| # talk to keymaster |
| hal_client_domain(keystore, hal_keymaster) |
| |
| # talk to confirmationui |
| hal_client_domain(keystore, hal_confirmationui) |
| |
| # talk to keymint |
| hal_client_domain(keystore, hal_keymint) |
| |
| # Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to |
| # access it. |
| # TODO(b/312427637): Investigate the reason and fix the denial. |
| dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find }; |
| |
| # This is used for the ConfirmationUI async callback. |
| allow keystore platform_app:binder call; |
| |
| # Allow to check whether security logging is enabled. |
| get_prop(keystore, device_logging_prop) |
| |
| # Allow keystore to check if the system is rkp only. |
| get_prop(keystore, remote_prov_prop) |
| |
| # Allow keystore to check rkpd feature flags |
| get_prop(keystore, device_config_remote_key_provisioning_native_prop) |
| |
| # Allow keystore to write to statsd. |
| unix_socket_send(keystore, statsdw, statsd) |
| |
| # Keystore need access to the keystore2_key_contexts file to load the keystore key backend. |
| allow keystore keystore2_key_contexts_file:file r_file_perms; |
| |
| # Allow keystore to listen to changing boot levels |
| get_prop(keystore, keystore_listen_prop) |
| |
| # Keystore needs to transfer binder references to vold so that it |
| # can call keystore methods on those references. |
| allow keystore vold:binder transfer; |
| |
| set_prop(keystore, keystore_crash_prop) |
| |
| # keystore is using apex_info via libvintf |
| use_apex_info(keystore) |
| |
| typeattribute keystore mlstrustedsubject; |
| binder_use(keystore) |
| binder_service(keystore) |
| binder_call(keystore, remote_provisioning_service_server) |
| binder_call(keystore, system_server) |
| binder_call(keystore, wificond) |
| |
| allow keystore keystore_data_file:dir create_dir_perms; |
| allow keystore keystore_data_file:notdevfile_class_set create_file_perms; |
| allow keystore keystore_exec:file { getattr }; |
| |
| add_service(keystore, keystore_service) |
| allow keystore sec_key_att_app_id_provider_service:service_manager find; |
| allow keystore dropbox_service:service_manager find; |
| allow keystore remote_provisioning_service:service_manager find; |
| add_service(keystore, apc_service) |
| add_service(keystore, keystore_compat_hal_service) |
| add_service(keystore, authorization_service) |
| add_service(keystore, keystore_maintenance_service) |
| add_service(keystore, keystore_metrics_service) |
| add_service(keystore, legacykeystore_service) |
| |
| # Check SELinux permissions. |
| selinux_check_access(keystore) |
| |
| r_dir_file(keystore, cgroup) |
| r_dir_file(keystore, cgroup_v2) |
| |
| # The software KeyMint implementation used in km_compat needs |
| # to read the vendor security patch level. |
| get_prop(keystore, vendor_security_patch_level_prop); |
| |
| # Allow keystore to read its vendor configuration |
| get_prop(keystore, keystore_config_prop) |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### Protect ourself from others |
| ### |
| |
| neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; |
| neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; |
| |
| neverallow { domain -keystore -init } keystore_data_file:dir *; |
| neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; |
| |
| # TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?) |
| neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace; |
| |
| # Only keystore can set keystore.crash_count system property. Since init is allowed to set any |
| # system property, an exception is added for init as well. |
| neverallow { domain -keystore -init } keystore_crash_prop:property_service set; |