Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-16 / . / private / keystore.te
blob: 41c29db158e8c1ef485c35b466f56669b07569f0 [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute keystore coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3init_daemon_domain(keystore)
Alex Klyubin53656c12017-04-13 19:05:27 -0700[diff] [blame]4
5# talk to keymaster
6hal_client_domain(keystore, hal_keymaster)
7
Janis Danisevskis97c56bd2018-01-09 17:42:53 -0500[diff] [blame]8# talk to confirmationui
9hal_client_domain(keystore, hal_confirmationui)
10
Janis Danisevskisbd464a92020-08-24 07:52:32 -0700[diff] [blame]11# talk to keymint
12hal_client_domain(keystore, hal_keymint)
13
Janis Danisevskis97c56bd2018-01-09 17:42:53 -0500[diff] [blame]14# This is used for the ConfirmationUI async callback.
15allow keystore platform_app:binder call;
16
Pavel Grafovc5b33302018-01-24 19:49:18 +0000[diff] [blame]17# Allow to check whether security logging is enabled.
18get_prop(keystore, device_logging_prop)
Janis Danisevskisc40681f2020-07-25 13:02:29 -0700[diff] [blame]19
Max Biresaaacfdb2022-02-01 21:15:44 -0800[diff] [blame]20# Allow keystore to check if the system is rkp only.
21get_prop(keystore, remote_prov_prop)
22
Vikram Gaurf6c6f452024-09-05 23:00:09 +0000[diff] [blame]23# Allow keystore to check whether to post-process RKP certificates
24get_prop(keystore, remote_prov_cert_prop)
25
Vikram Gaure1c49f52022-09-29 21:20:22 +0000[diff] [blame]26# Allow keystore to check rkpd feature flags
27get_prop(keystore, device_config_remote_key_provisioning_native_prop)
28
Hasini Gunasinghe0112daa2020-06-10 23:34:41 +0000[diff] [blame]29# Allow keystore to write to statsd.
30unix_socket_send(keystore, statsdw, statsd)
Xin Li11da9e62020-08-29 01:45:24 -0700[diff] [blame]31
Eric Biggerscc5cb432023-10-16 21:44:26 +0000[diff] [blame]32# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
Janis Danisevskisc40681f2020-07-25 13:02:29 -0700[diff] [blame]33allow keystore keystore2_key_contexts_file:file r_file_perms;
Hasini Gunasinghe83e1f142020-06-10 21:10:02 +0000[diff] [blame]34
Paul Crowley283aef22022-08-22 09:00:25 -0700[diff] [blame]35# Allow keystore to listen to changing boot levels
Paul Crowleyb0c55712021-02-23 08:40:05 -0800[diff] [blame]36get_prop(keystore, keystore_listen_prop)
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]37
Paul Crowley4a794522021-06-13 09:56:33 -0700[diff] [blame]38# Keystore needs to transfer binder references to vold so that it
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]39# can call keystore methods on those references.
40allow keystore vold:binder transfer;
Hasini Gunasinghe4fa6b1a2021-07-02 23:14:50 +0000[diff] [blame]41
Karuna Wadheraad0b4ba2024-12-28 00:33:30 +0000[diff] [blame]42set_prop(keystore, keystore_diagnostics_prop)
Rob Seymourecbadbb2022-07-28 16:23:42 +0000[diff] [blame]43
David Drysdale8b941e52024-12-05 18:31:00 +0000[diff] [blame]44# Allow keystore to monitor the `apexd.status` property.
45get_prop(keystore, apexd_prop)
46
Rob Seymourecbadbb2022-07-28 16:23:42 +0000[diff] [blame]47# keystore is using apex_info via libvintf
48use_apex_info(keystore)
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]49
50typeattribute keystore mlstrustedsubject;
51binder_use(keystore)
52binder_service(keystore)
53binder_call(keystore, remote_provisioning_service_server)
Vikram Gaurf6c6f452024-09-05 23:00:09 +0000[diff] [blame]54binder_call(keystore, rkp_cert_processor)
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]55binder_call(keystore, system_server)
56binder_call(keystore, wificond)
57
58allow keystore keystore_data_file:dir create_dir_perms;
59allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
60allow keystore keystore_exec:file { getattr };
61
62add_service(keystore, keystore_service)
63allow keystore sec_key_att_app_id_provider_service:service_manager find;
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]64allow keystore remote_provisioning_service:service_manager find;
Vikram Gaurf6c6f452024-09-05 23:00:09 +0000[diff] [blame]65allow keystore rkp_cert_processor_service:service_manager find;
66
David Drysdale8b941e52024-12-05 18:31:00 +0000[diff] [blame]67# Allow keystore to communicate to apexd
68allow keystore apex_service:service_manager find;
69allow keystore apexd:binder call;
70
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]71add_service(keystore, apc_service)
72add_service(keystore, keystore_compat_hal_service)
73add_service(keystore, authorization_service)
74add_service(keystore, keystore_maintenance_service)
75add_service(keystore, keystore_metrics_service)
76add_service(keystore, legacykeystore_service)
77
78# Check SELinux permissions.
79selinux_check_access(keystore)
80
81r_dir_file(keystore, cgroup)
82r_dir_file(keystore, cgroup_v2)
83
84# The software KeyMint implementation used in km_compat needs
85# to read the vendor security patch level.
86get_prop(keystore, vendor_security_patch_level_prop);
87
88# Allow keystore to read its vendor configuration
89get_prop(keystore, keystore_config_prop)
90
91###
92### Neverallow rules
93###
94### Protect ourself from others
95###
96
97neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
98neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
99
100neverallow { domain -keystore -init } keystore_data_file:dir *;
101neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
102
Max Biresef438552024-10-16 12:57:48 +0000[diff] [blame]103neverallow * keystore:process ptrace;
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]104
Karuna Wadheraad0b4ba2024-12-28 00:33:30 +0000[diff] [blame]105# Only keystore can set keystore_diagnostics_prop system properties. Since init is allowed to set
106# any system property, an exception is added for init as well.
107neverallow { domain -keystore -init } keystore_diagnostics_prop:property_service set;