SELinux permissions for gatekeeper TEE proxy
sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients
Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
diff --git a/dumpstate.te b/dumpstate.te
index 450ca9a..43daac4 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -107,7 +107,7 @@
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
-allow dumpstate service_manager_type:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
service_manager_local_audit_domain(dumpstate)
diff --git a/file_contexts b/file_contexts
index 45a3549..7ef7b3c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -147,6 +147,7 @@
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/debuggerd u:object_r:debuggerd_exec:s0
/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
/system/bin/wpa_supplicant u:object_r:wpa_exec:s0
diff --git a/gatekeeperd.te b/gatekeeperd.te
new file mode 100644
index 0000000..45bf7d9
--- /dev/null
+++ b/gatekeeperd.te
@@ -0,0 +1,15 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, exec_type, file_type;
+
+# gatekeeperd
+init_daemon_domain(gatekeeperd)
+binder_use(gatekeeperd)
+binder_service(gatekeeperd)
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+
+allow gatekeeperd gatekeeper_service:service_manager { add find };
+
+allow gatekeeperd keystore:keystore_key { add_auth };
+
+neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
+neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/service.te b/service.te
index a11e641..2341ff0 100644
--- a/service.te
+++ b/service.te
@@ -4,6 +4,7 @@
type healthd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type;
+type gatekeeper_service, service_manager_type;
type mediaserver_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 322f349..003a858 100644
--- a/service_contexts
+++ b/service_contexts
@@ -3,6 +3,7 @@
activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
diff --git a/shell.te b/shell.te
index cfadf77..0ce2cc4 100644
--- a/shell.te
+++ b/shell.te
@@ -59,7 +59,8 @@
# allow shell access to services
allow shell servicemanager:service_manager list;
-allow shell service_manager_type:service_manager find;
+# don't allow shell to access GateKeeper service
+allow shell { service_manager_type -gatekeeper_service }:service_manager find;
service_manager_local_audit_domain(shell)
# allow shell to look through /proc/ for ps, top
diff --git a/system_server.te b/system_server.te
index aa0328f..27fd704 100644
--- a/system_server.te
+++ b/system_server.te
@@ -360,6 +360,7 @@
allow system_server drmserver_service:service_manager find;
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;