1typeattribute keystore coredomain; 2 3init_daemon_domain(keystore) 4 5# talk to keymaster 6hal_client_domain(keystore, hal_keymaster) 7 8# talk to confirmationui 9hal_client_domain(keystore, hal_confirmationui) 10 11# talk to keymint 12hal_client_domain(keystore, hal_keymint) 13 14# This is used for the ConfirmationUI async callback. 15allow keystore platform_app:binder call; 16 17# Allow to check whether security logging is enabled. 18get_prop(keystore, device_logging_prop) 19 20# Allow keystore to check if the system is rkp only. 21get_prop(keystore, remote_prov_prop) 22 23# Allow keystore to check rkpd feature flags 24get_prop(keystore, device_config_remote_key_provisioning_native_prop) 25 26# Allow keystore to write to statsd. 27unix_socket_send(keystore, statsdw, statsd) 28 29# Keystore need access to the keystore_key context files to load the keystore key backend. 30allow keystore keystore2_key_contexts_file:file r_file_perms; 31 32# Allow keystore to listen to changing boot levels 33get_prop(keystore, keystore_listen_prop) 34 35# Keystore needs to transfer binder references to vold so that it 36# can call keystore methods on those references. 37allow keystore vold:binder transfer; 38 39# Only keystore can set keystore.crash_count system property. Since init is allowed to set any 40# system property, an exception is added for init as well. 41set_prop(keystore, keystore_crash_prop) 42neverallow { domain -keystore -init } keystore_crash_prop:property_service set; 43 44# keystore is using apex_info via libvintf 45use_apex_info(keystore) 46