1# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected) 2# storage of secrets guarded by DICE policies. 3binder_call(hal_secretkeeper_client, hal_secretkeeper_server) 4 5hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service) 6 7binder_use(hal_secretkeeper_server) 8binder_use(hal_secretkeeper_client) 9 10# The Secretkeeper HAL service needs to communicate with a trusted application running 11# in the TEE, which is represented by the tee_device permission. 12allow hal_secretkeeper_server tee_device:chr_file rw_file_perms; 13