commit 75806ef3c529c019ab002072cca7951b91f245aa
author Inseob Kim <inseob@google.com> Wed Mar 27 17:18:41 2024 +0900
committer Inseob Kim <inseob@google.com> Thu Mar 28 00:33:46 2024 +0000
tree cbd0c46779774cd09f127c0e20144c39dff08dca
parent e98c6d2b38114e0819a558ef5e0d2793a30eebff

Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

private/keystore.te

diff --git a/private/keystore.te b/private/keystore.te
index b81ccfa..b35a16e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -41,10 +41,61 @@
 # can call keystore methods on those references.
 allow keystore vold:binder transfer;
 
-# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
-# system property, an exception is added for init as well.
 set_prop(keystore, keystore_crash_prop)
-neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
 
 # keystore is using apex_info via libvintf
 use_apex_info(keystore)
+
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
+binder_call(keystore, system_server)
+binder_call(keystore, wificond)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
+allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
+
+# Allow keystore to read its vendor configuration
+get_prop(keystore, keystore_config_prop)
+
+###
+### Neverallow rules
+###
+### Protect ourself from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
+
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
+# system property, an exception is added for init as well.
+neverallow { domain -keystore -init } keystore_crash_prop:property_service set;