Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f6c6f4555c8f9d7199c03f92b6b054a04194ba58 / . / private / keystore.te
blob: 44503a1572d249b203559a2efa58d12325d9f836 [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute keystore coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3init_daemon_domain(keystore)
Alex Klyubin53656c12017-04-13 19:05:27 -0700[diff] [blame]4
5# talk to keymaster
6hal_client_domain(keystore, hal_keymaster)
7
Janis Danisevskis97c56bd2018-01-09 17:42:53 -0500[diff] [blame]8# talk to confirmationui
9hal_client_domain(keystore, hal_confirmationui)
10
Janis Danisevskisbd464a92020-08-24 07:52:32 -0700[diff] [blame]11# talk to keymint
12hal_client_domain(keystore, hal_keymint)
13
Janis Danisevskis97c56bd2018-01-09 17:42:53 -0500[diff] [blame]14# This is used for the ConfirmationUI async callback.
15allow keystore platform_app:binder call;
16
Pavel Grafovc5b33302018-01-24 19:49:18 +0000[diff] [blame]17# Allow to check whether security logging is enabled.
18get_prop(keystore, device_logging_prop)
Janis Danisevskisc40681f2020-07-25 13:02:29 -0700[diff] [blame]19
Max Biresaaacfdb2022-02-01 21:15:44 -0800[diff] [blame]20# Allow keystore to check if the system is rkp only.
21get_prop(keystore, remote_prov_prop)
22
Vikram Gaurf6c6f452024-09-05 23:00:09 +0000[diff] [blame^]23# Allow keystore to check whether to post-process RKP certificates
24get_prop(keystore, remote_prov_cert_prop)
25
Vikram Gaure1c49f52022-09-29 21:20:22 +0000[diff] [blame]26# Allow keystore to check rkpd feature flags
27get_prop(keystore, device_config_remote_key_provisioning_native_prop)
28
Hasini Gunasinghe0112daa2020-06-10 23:34:41 +0000[diff] [blame]29# Allow keystore to write to statsd.
30unix_socket_send(keystore, statsdw, statsd)
Xin Li11da9e62020-08-29 01:45:24 -0700[diff] [blame]31
Eric Biggerscc5cb432023-10-16 21:44:26 +0000[diff] [blame]32# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
Janis Danisevskisc40681f2020-07-25 13:02:29 -0700[diff] [blame]33allow keystore keystore2_key_contexts_file:file r_file_perms;
Hasini Gunasinghe83e1f142020-06-10 21:10:02 +0000[diff] [blame]34
Paul Crowley283aef22022-08-22 09:00:25 -0700[diff] [blame]35# Allow keystore to listen to changing boot levels
Paul Crowleyb0c55712021-02-23 08:40:05 -0800[diff] [blame]36get_prop(keystore, keystore_listen_prop)
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]37
Paul Crowley4a794522021-06-13 09:56:33 -0700[diff] [blame]38# Keystore needs to transfer binder references to vold so that it
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]39# can call keystore methods on those references.
40allow keystore vold:binder transfer;
Hasini Gunasinghe4fa6b1a2021-07-02 23:14:50 +0000[diff] [blame]41
Hasini Gunasinghe4fa6b1a2021-07-02 23:14:50 +0000[diff] [blame]42set_prop(keystore, keystore_crash_prop)
Rob Seymourecbadbb2022-07-28 16:23:42 +0000[diff] [blame]43
44# keystore is using apex_info via libvintf
45use_apex_info(keystore)
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]46
47typeattribute keystore mlstrustedsubject;
48binder_use(keystore)
49binder_service(keystore)
50binder_call(keystore, remote_provisioning_service_server)
Vikram Gaurf6c6f452024-09-05 23:00:09 +0000[diff] [blame^]51binder_call(keystore, rkp_cert_processor)
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]52binder_call(keystore, system_server)
53binder_call(keystore, wificond)
54
55allow keystore keystore_data_file:dir create_dir_perms;
56allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
57allow keystore keystore_exec:file { getattr };
58
59add_service(keystore, keystore_service)
60allow keystore sec_key_att_app_id_provider_service:service_manager find;
61allow keystore dropbox_service:service_manager find;
62allow keystore remote_provisioning_service:service_manager find;
Vikram Gaurf6c6f452024-09-05 23:00:09 +0000[diff] [blame^]63allow keystore rkp_cert_processor_service:service_manager find;
64
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]65add_service(keystore, apc_service)
66add_service(keystore, keystore_compat_hal_service)
67add_service(keystore, authorization_service)
68add_service(keystore, keystore_maintenance_service)
69add_service(keystore, keystore_metrics_service)
70add_service(keystore, legacykeystore_service)
71
72# Check SELinux permissions.
73selinux_check_access(keystore)
74
75r_dir_file(keystore, cgroup)
76r_dir_file(keystore, cgroup_v2)
77
78# The software KeyMint implementation used in km_compat needs
79# to read the vendor security patch level.
80get_prop(keystore, vendor_security_patch_level_prop);
81
82# Allow keystore to read its vendor configuration
83get_prop(keystore, keystore_config_prop)
84
85###
86### Neverallow rules
87###
88### Protect ourself from others
89###
90
91neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
92neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
93
94neverallow { domain -keystore -init } keystore_data_file:dir *;
95neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
96
97# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
98neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
99
100# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
101# system property, an exception is added for init as well.
102neverallow { domain -keystore -init } keystore_crash_prop:property_service set;