Skip to content
Snippets Groups Projects
Normal view Permalink
keystore.te 1.08 KiB
Newer Older
  • Learn to ignore specific revisions
    • Jeff Vander Stoep's avatar
    Move domain_deprecated into private policy  
    Jeff Vander Stoep committed
    1 
    type keystore, domain;
    Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    2 3 4 
    type keystore_exec, exec_type, file_type;

# keystore daemon
    Stephen Smalley's avatar
    Confine keystore, but leave it permissive for now.  
    Stephen Smalley committed
    5 6 7 
    typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
    Janis Danisevskis's avatar
    Allow keystore to access KeyAttestationApplicationIDProviderService  
    Janis Danisevskis committed
    8 
    binder_call(keystore, system_server)
    Janis Danisevskis's avatar
    Preliminary policy for hal_keymaster (TREBLE)  
    Janis Danisevskis committed
    9
    Stephen Smalley's avatar
    Confine keystore, but leave it permissive for now.  
    Stephen Smalley committed
    10 11 12 
    allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
    Nick Kralevich's avatar
    Protect keystore's files.  
    Nick Kralevich committed
    13
    William Roberts's avatar
    te_macros: introduce add_service() macro  
    William Roberts committed
    14 
    add_service(keystore, keystore_service)
    Janis Danisevskis's avatar
    Allow keystore to access KeyAttestationApplicationIDProviderService  
    Janis Danisevskis committed
    15 
    allow keystore sec_key_att_app_id_provider_service:service_manager find;
    Max Bires's avatar
    Adding ability for keystore to find dropbox  
    Max Bires committed
    16 
    allow keystore dropbox_service:service_manager find;
    Stephen Smalley's avatar
    Move allow rules before neverallow rules.  
    Stephen Smalley committed
    17 18 19 20 
    
# Check SELinux permissions.
selinux_check_access(keystore)
    Jeff Vander Stoep's avatar
    audit domain_deprecated perms for removal  
    Jeff Vander Stoep committed
    21 22 
    r_dir_file(keystore, cgroup)
    Nick Kralevich's avatar
    Protect keystore's files.  
    Nick Kralevich committed
    23 24 25 
    ###
### Neverallow rules
###
    Nick Kralevich's avatar
    Don't allow ptrace on keystore  
    Nick Kralevich committed
    26 
    ### Protect ourself from others
    Nick Kralevich's avatar
    Protect keystore's files.  
    Nick Kralevich committed
    27 28 
    ###
    Paul Lawrence's avatar
    New ext4enc kernel switching from xattrs to ioctl  
    Paul Lawrence committed
    29 
    neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
    Nick Kralevich's avatar
    Protect keystore's files.  
    Nick Kralevich committed
    30 31 
    neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
    Stephen Smalley's avatar
    Remove -kernel -recovery from keystore_data_file neverallow.  
    Stephen Smalley committed
    32 33 
    neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
    Nick Kralevich's avatar
    Don't allow ptrace on keystore  
    Nick Kralevich committed
    34
    Nick Kralevich's avatar
    Replace "neverallow domain" by "neverallow *"  
    Nick Kralevich committed
    35 
    neverallow * keystore:process ptrace;