private/keystore.te - platform/system/sepolicy - Git at Google

 typeattribute keystore coredomain;

 init_daemon_domain(keystore)

 # talk to keymaster
 hal_client_domain(keystore, hal_keymaster)

 # talk to confirmationui
 hal_client_domain(keystore, hal_confirmationui)

 # talk to keymint
 hal_client_domain(keystore, hal_keymint)

 # Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
 # access it.
 # TODO(b/312427637): Investigate the reason and fix the denial.
 dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };

 # This is used for the ConfirmationUI async callback.
 allow keystore platform_app:binder call;

 # Allow to check whether security logging is enabled.
 get_prop(keystore, device_logging_prop)

 # Allow keystore to check if the system is rkp only.
 get_prop(keystore, remote_prov_prop)

 # Allow keystore to check rkpd feature flags
 get_prop(keystore, device_config_remote_key_provisioning_native_prop)

 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)

 # Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
 allow keystore keystore2_key_contexts_file:file r_file_perms;

 # Allow keystore to listen to changing boot levels
 get_prop(keystore, keystore_listen_prop)

 # Keystore needs to transfer binder references to vold so that it
 # can call keystore methods on those references.
 allow keystore vold:binder transfer;

 set_prop(keystore, keystore_crash_prop)

 # keystore is using apex_info via libvintf
 use_apex_info(keystore)

 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
 binder_call(keystore, remote_provisioning_service_server)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)

 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

 add_service(keystore, keystore_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
 allow keystore remote_provisioning_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
 add_service(keystore, keystore_maintenance_service)
 add_service(keystore, keystore_metrics_service)
 add_service(keystore, legacykeystore_service)

 # Check SELinux permissions.
 selinux_check_access(keystore)

 r_dir_file(keystore, cgroup)
 r_dir_file(keystore, cgroup_v2)

 # The software KeyMint implementation used in km_compat needs
 # to read the vendor security patch level.
 get_prop(keystore, vendor_security_patch_level_prop);

 # Allow keystore to read its vendor configuration
 get_prop(keystore, keystore_config_prop)

 ###
 ### Neverallow rules
 ###
 ### Protect ourself from others
 ###

 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };

 neverallow { domain -keystore -init } keystore_data_file:dir *;
 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

 # TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
 neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;

 # Only keystore can set keystore.crash_count system property. Since init is allowed to set any
 # system property, an exception is added for init as well.
 neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
	typeattribute keystore coredomain;

	init_daemon_domain(keystore)

	# talk to keymaster
	hal_client_domain(keystore, hal_keymaster)

	# talk to confirmationui
	hal_client_domain(keystore, hal_confirmationui)

	# talk to keymint
	hal_client_domain(keystore, hal_keymint)

	# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
	# access it.
	# TODO(b/312427637): Investigate the reason and fix the denial.
	dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };

	# This is used for the ConfirmationUI async callback.
	allow keystore platform_app:binder call;

	# Allow to check whether security logging is enabled.
	get_prop(keystore, device_logging_prop)

	# Allow keystore to check if the system is rkp only.
	get_prop(keystore, remote_prov_prop)

	# Allow keystore to check rkpd feature flags
	get_prop(keystore, device_config_remote_key_provisioning_native_prop)

	# Allow keystore to write to statsd.
	unix_socket_send(keystore, statsdw, statsd)

	# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
	allow keystore keystore2_key_contexts_file:file r_file_perms;

	# Allow keystore to listen to changing boot levels
	get_prop(keystore, keystore_listen_prop)

	# Keystore needs to transfer binder references to vold so that it
	# can call keystore methods on those references.
	allow keystore vold:binder transfer;

	set_prop(keystore, keystore_crash_prop)

	# keystore is using apex_info via libvintf
	use_apex_info(keystore)

	typeattribute keystore mlstrustedsubject;
	binder_use(keystore)
	binder_service(keystore)
	binder_call(keystore, remote_provisioning_service_server)
	binder_call(keystore, system_server)
	binder_call(keystore, wificond)

	allow keystore keystore_data_file:dir create_dir_perms;
	allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
	allow keystore keystore_exec:file { getattr };

	add_service(keystore, keystore_service)
	allow keystore sec_key_att_app_id_provider_service:service_manager find;
	allow keystore dropbox_service:service_manager find;
	allow keystore remote_provisioning_service:service_manager find;
	add_service(keystore, apc_service)
	add_service(keystore, keystore_compat_hal_service)
	add_service(keystore, authorization_service)
	add_service(keystore, keystore_maintenance_service)
	add_service(keystore, keystore_metrics_service)
	add_service(keystore, legacykeystore_service)

	# Check SELinux permissions.
	selinux_check_access(keystore)

	r_dir_file(keystore, cgroup)
	r_dir_file(keystore, cgroup_v2)

	# The software KeyMint implementation used in km_compat needs
	# to read the vendor security patch level.
	get_prop(keystore, vendor_security_patch_level_prop);

	# Allow keystore to read its vendor configuration
	get_prop(keystore, keystore_config_prop)

	###
	### Neverallow rules
	###
	### Protect ourself from others
	###

	neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
	neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };

	neverallow { domain -keystore -init } keystore_data_file:dir *;
	neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

	# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
	neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;

	# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
	# system property, an exception is added for init as well.
	neverallow { domain -keystore -init } keystore_crash_prop:property_service set;