1*e4a36f41SAndroid Build Coastguard Workertype gatekeeperd, domain; 2*e4a36f41SAndroid Build Coastguard Workertype gatekeeperd_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# gatekeeperd 5*e4a36f41SAndroid Build Coastguard Workerbinder_service(gatekeeperd) 6*e4a36f41SAndroid Build Coastguard Workerbinder_use(gatekeeperd) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker### Rules needed when Gatekeeper HAL runs inside gatekeeperd process. 9*e4a36f41SAndroid Build Coastguard Worker### These rules should eventually be granted only when needed. 10*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd ion_device:chr_file r_file_perms; 11*e4a36f41SAndroid Build Coastguard Worker# Load HAL implementation 12*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd system_file:dir r_dir_perms; 13*e4a36f41SAndroid Build Coastguard Worker### 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process. 16*e4a36f41SAndroid Build Coastguard Worker### These rules should eventually be granted only when needed. 17*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(gatekeeperd, hal_gatekeeper) 18*e4a36f41SAndroid Build Coastguard Worker### 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# need to find KeyStore and add self 21*e4a36f41SAndroid Build Coastguard Workeradd_service(gatekeeperd, gatekeeper_service) 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Need to add auth tokens to KeyStore 24*e4a36f41SAndroid Build Coastguard Workeruse_keystore(gatekeeperd) 25*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd keystore:keystore_key { add_auth }; 26*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd keystore:keystore2 { add_auth }; 27*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd authorization_service:service_manager find; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker# For permissions checking 31*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd system_server:binder call; 32*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd permission_service:service_manager find; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# for SID file access 35*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; 36*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd gatekeeper_data_file:file create_file_perms; 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# For hardware properties retrieval 39*e4a36f41SAndroid Build Coastguard Workerallow gatekeeperd hardware_properties_service:service_manager find; 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Workerr_dir_file(gatekeeperd, cgroup) 42*e4a36f41SAndroid Build Coastguard Workerr_dir_file(gatekeeperd, cgroup_v2) 43