Merge "Confine keystore, but leave it permissive for now."

cdf54ba7 · Nick Kralevich · Gerrit Code Review · b3c48b66 · cdd83f4e · cdf54ba7
Commit cdf54ba7 authored 11 years ago by Nick Kralevich Committed by Gerrit Code Review 11 years ago
--- a/keystore.te
+++ b/keystore.te
 type keystore, domain;
+permissive keystore;
 type keystore_exec, exec_type, file_type;

 # keystore daemon
 init_daemon_domain(keystore)
-unconfined_domain(keystore)
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+allow keystore tee_device:chr_file rw_file_perms;