From b348f8f55d20026aadcaf4d393294da9a66ce883 Mon Sep 17 00:00:00 2001
From: Andres Morales <anmorales@google.com>
Date: Thu, 16 Apr 2015 13:40:57 -0700
Subject: [PATCH] New rules for SID access

Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e
---
 gatekeeperd.te | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/gatekeeperd.te b/gatekeeperd.te
index 4a50e2cd8..5f27aa92a 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -17,6 +17,12 @@ allow gatekeeperd keystore:keystore_key { add_auth };
 allow gatekeeperd system_server:binder call;
 allow gatekeeperd permission_service:service_manager find;
 
-neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
+# for SID file access
+allow gatekeeperd system_data_file:dir { add_name write};
+allow gatekeeperd system_data_file:file { write create open };
+
+# Apps using KeyStore API will request the SID from GateKeeper
+allow untrusted_app gatekeeper_service:service_manager find;
+binder_call(untrusted_app, gatekeeperd)
+
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
-neverallow { domain -system_server } gatekeeperd:binder call;
-- 
GitLab