Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Alex Klyubin's avatar
    6fe344e3
    Remove hal_gatekeeper from gatekeeperd domain · 6fe344e3
    Alex Klyubin authored 
    HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This partially reverts the moving of rules out of gatekeeperd in
commit a9ce2086.

Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
      unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765
    6fe344e3
    History
    Remove hal_gatekeeper from gatekeeperd domain
    Alex Klyubin authored 
    HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This partially reverts the moving of rules out of gatekeeperd in
commit a9ce2086.

Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
      unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765
gatekeeperd.te 1.29 KiB 
type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;

# gatekeeperd
binder_service(gatekeeperd)
binder_use(gatekeeperd)

### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
### These rules should eventually be granted only when needed.
allow gatekeeperd tee_device:chr_file rw_file_perms;
allow gatekeeperd ion_device:chr_file r_file_perms;
# Load HAL implementation
allow gatekeeperd system_file:dir r_dir_perms;
###

### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
hwbinder_use(gatekeeperd)
###

# need to find KeyStore and add self
add_service(gatekeeperd, gatekeeper_service)

# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };

# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;

# For parent user ID lookup
allow gatekeeperd user_service:service_manager find;

# for SID file access
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;

# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;

r_dir_file(gatekeeperd, cgroup)