gatekeeper HAL service: add security policy
Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c
Signed-off-by: Alexey Polyudov <apolyudov@google.com>
diff --git a/public/attributes b/public/attributes
index faf6b97..9bed18d 100644
--- a/public/attributes
+++ b/public/attributes
@@ -117,6 +117,7 @@
# HALs
attribute hal_audio;
attribute hal_dumpstate;
+attribute hal_gatekeeper;
attribute hal_graphics_allocator;
attribute hal_graphics_composer;
attribute hal_health;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index f6ec1ab..3831dff 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,11 +1,10 @@
-type gatekeeperd, domain;
+# normally uses HAL; implements HAL in pass-through mode only
+type gatekeeperd, hal_gatekeeper, domain;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
binder_service(gatekeeperd)
binder_use(gatekeeperd)
-allow gatekeeperd tee_device:chr_file rw_file_perms;
-allow gatekeeperd ion_device:chr_file r_file_perms;
# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };
@@ -20,6 +19,7 @@
# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
+
# For parent user ID lookup
allow gatekeeperd user_service:service_manager find;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
new file mode 100644
index 0000000..27912b7
--- /dev/null
+++ b/public/hal_gatekeeper.te
@@ -0,0 +1,9 @@
+# hwbinder access
+hwbinder_use(hal_gatekeeper)
+
+# call into gatekeeperd process (callbacks)
+binder_call(hal_gatekeeper, gatekeeperd)
+
+# TEE access.
+allow hal_gatekeeper tee_device:chr_file rw_file_perms;
+allow hal_gatekeeper ion_device:chr_file r_file_perms;