Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
gatekeeperd.te 846 Bytes
Newer Older
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
1 2 3 4 5 6 7 8 
type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;

# gatekeeperd
init_daemon_domain(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
Andres Morales's avatar
Allow gatekeeperd to check Android permissions  
Andres Morales committed
9 
# need to find KeyStore and add self
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
10 11 
allow gatekeeperd gatekeeper_service:service_manager { add find };
Andres Morales's avatar
Allow gatekeeperd to check Android permissions  
Andres Morales committed
12 
# Need to add auth tokens to KeyStore
Nick Kralevich's avatar
gatekeeperd: neverallow non-system_server binder call  
Nick Kralevich committed
13 14 
allow gatekeeperd keystore_service:service_manager find;
binder_call(gatekeeperd, keystore)
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
15 16 
allow gatekeeperd keystore:keystore_key { add_auth };
Andres Morales's avatar
Allow gatekeeperd to check Android permissions  
Andres Morales committed
17 18 19 20 
# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
Andres Morales's avatar
SELinux permissions for gatekeeper TEE proxy  
Andres Morales committed
21 22 
neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
Nick Kralevich's avatar
gatekeeperd: neverallow non-system_server binder call  
Nick Kralevich committed
23 
neverallow { domain -system_server } gatekeeperd:binder call;