1typeattribute keystore coredomain; 2 3init_daemon_domain(keystore) 4 5# talk to keymaster 6hal_client_domain(keystore, hal_keymaster) 7 8# talk to confirmationui 9hal_client_domain(keystore, hal_confirmationui) 10 11# talk to keymint 12hal_client_domain(keystore, hal_keymint) 13 14# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to 15# access it. 16# TODO(b/312427637): Investigate the reason and fix the denial. 17dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find }; 18 19# This is used for the ConfirmationUI async callback. 20allow keystore platform_app:binder call; 21 22# Allow to check whether security logging is enabled. 23get_prop(keystore, device_logging_prop) 24 25# Allow keystore to check if the system is rkp only. 26get_prop(keystore, remote_prov_prop) 27 28# Allow keystore to check rkpd feature flags 29get_prop(keystore, device_config_remote_key_provisioning_native_prop) 30 31# Allow keystore to write to statsd. 32unix_socket_send(keystore, statsdw, statsd) 33 34# Keystore need access to the keystore2_key_contexts file to load the keystore key backend. 35allow keystore keystore2_key_contexts_file:file r_file_perms; 36 37# Allow keystore to listen to changing boot levels 38get_prop(keystore, keystore_listen_prop) 39 40# Keystore needs to transfer binder references to vold so that it 41# can call keystore methods on those references. 42allow keystore vold:binder transfer; 43 44# Only keystore can set keystore.crash_count system property. Since init is allowed to set any 45# system property, an exception is added for init as well. 46set_prop(keystore, keystore_crash_prop) 47neverallow { domain -keystore -init } keystore_crash_prop:property_service set; 48 49# keystore is using apex_info via libvintf 50use_apex_info(keystore) 51