Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
gatekeeperd.te 898 Bytes
Newer Older
Jeff Vander Stoep's avatar
Create attribute for moving perms out of domain  
Jeff Vander Stoep committed
1 
type gatekeeperd, domain, domain_deprecated;
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
2 3 4 5 
type gatekeeperd_exec, exec_type, file_type;

# gatekeeperd
init_daemon_domain(gatekeeperd)
Alex Klyubin's avatar
Expand access to gatekeeperd.  
Alex Klyubin committed
6 
binder_service(gatekeeperd)
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
7 8 9 
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
Andres Morales's avatar
Allow gatekeeperd to check Android permissions  
Andres Morales committed
10 
# need to find KeyStore and add self
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
11 12 
allow gatekeeperd gatekeeper_service:service_manager { add find };
Andres Morales's avatar
Allow gatekeeperd to check Android permissions  
Andres Morales committed
13 
# Need to add auth tokens to KeyStore
Andres Morales's avatar
Allow gatekeeperd to use keystore  
Andres Morales committed
14 
use_keystore(gatekeeperd)
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
15 16 
allow gatekeeperd keystore:keystore_key { add_auth };
Andres Morales's avatar
Allow gatekeeperd to check Android permissions  
Andres Morales committed
17 18 19 
# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
Andres Morales's avatar
[gatekeeperd] allow calls to UserManagerService  
Andres Morales committed
20 21 
# For parent user ID lookup
allow gatekeeperd user_service:service_manager find;
Andres Morales's avatar
Allow gatekeeperd to check Android permissions  
Andres Morales committed
22
Andres Morales's avatar
New rules for SID access  
Andres Morales committed
23 
# for SID file access
Nick Kralevich's avatar
gatekeeperd: use more specific label for /data file  
Nick Kralevich committed
24 25 
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
Andres Morales's avatar
New rules for SID access  
Andres Morales committed
26
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
27 
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;