1*e4a36f41SAndroid Build Coastguard Worker# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected) 2*e4a36f41SAndroid Build Coastguard Worker# storage of secrets guarded by DICE policies. 3*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_secretkeeper_client, hal_secretkeeper_server) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workerhal_attribute_service(hal_secretkeeper, hal_secretkeeper_service) 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Workerbinder_use(hal_secretkeeper_server) 8*e4a36f41SAndroid Build Coastguard Workerbinder_use(hal_secretkeeper_client) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# The Secretkeeper HAL service needs to communicate with a trusted application running 11*e4a36f41SAndroid Build Coastguard Worker# in the TEE, which is represented by the tee_device permission. 12*e4a36f41SAndroid Build Coastguard Workerallow hal_secretkeeper_server tee_device:chr_file rw_file_perms; 13