From e207986ea08feebd04f32cd2beff0b1602d08074 Mon Sep 17 00:00:00 2001
From: Andres Morales <anmorales@google.com>
Date: Fri, 3 Apr 2015 16:46:33 -0700
Subject: [PATCH] SELinux permissions for gatekeeper TEE proxy

sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
---
 dumpstate.te     |  2 +-
 file_contexts    |  1 +
 gatekeeperd.te   | 15 +++++++++++++++
 service.te       |  1 +
 service_contexts |  1 +
 shell.te         |  3 ++-
 system_server.te |  1 +
 7 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 gatekeeperd.te

diff --git a/dumpstate.te b/dumpstate.te
index 450ca9a22..43daac4ac 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -107,7 +107,7 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
-allow dumpstate service_manager_type:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 service_manager_local_audit_domain(dumpstate)
 
diff --git a/file_contexts b/file_contexts
index 45a3549c0..7ef7b3cdd 100644
--- a/file_contexts
+++ b/file_contexts
@@ -147,6 +147,7 @@
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
 /system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
 /system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
diff --git a/gatekeeperd.te b/gatekeeperd.te
new file mode 100644
index 000000000..45bf7d948
--- /dev/null
+++ b/gatekeeperd.te
@@ -0,0 +1,15 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, exec_type, file_type;
+
+# gatekeeperd
+init_daemon_domain(gatekeeperd)
+binder_use(gatekeeperd)
+binder_service(gatekeeperd)
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+
+allow gatekeeperd gatekeeper_service:service_manager { add find };
+
+allow gatekeeperd keystore:keystore_key { add_auth };
+
+neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
+neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/service.te b/service.te
index a11e64146..2341ff0f1 100644
--- a/service.te
+++ b/service.te
@@ -4,6 +4,7 @@ type drmserver_service,         service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
+type gatekeeper_service,        service_manager_type;
 type mediaserver_service,       service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
diff --git a/service_contexts b/service_contexts
index 322f34934..003a858f0 100644
--- a/service_contexts
+++ b/service_contexts
@@ -3,6 +3,7 @@ account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
 assetatlas                                u:object_r:assetatlas_service:s0
diff --git a/shell.te b/shell.te
index cfadf77c9..0ce2cc41f 100644
--- a/shell.te
+++ b/shell.te
@@ -59,7 +59,8 @@ allow shell kernel:system syslog_read;
 
 # allow shell access to services
 allow shell servicemanager:service_manager list;
-allow shell service_manager_type:service_manager find;
+# don't allow shell to access GateKeeper service
+allow shell { service_manager_type -gatekeeper_service }:service_manager find;
 service_manager_local_audit_domain(shell)
 
 # allow shell to look through /proc/ for ps, top
diff --git a/system_server.te b/system_server.te
index aa0328fef..27fd704a9 100644
--- a/system_server.te
+++ b/system_server.te
@@ -360,6 +360,7 @@ allow system_server pstorefs:file r_file_perms;
 allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
-- 
GitLab