xref: /aosp_15_r20/system/sepolicy/private/keystore.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Workertypeattribute keystore coredomain;
2*e4a36f41SAndroid Build Coastguard Worker
3*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(keystore)
4*e4a36f41SAndroid Build Coastguard Worker
5*e4a36f41SAndroid Build Coastguard Worker# talk to keymaster
6*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(keystore, hal_keymaster)
7*e4a36f41SAndroid Build Coastguard Worker
8*e4a36f41SAndroid Build Coastguard Worker# talk to confirmationui
9*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(keystore, hal_confirmationui)
10*e4a36f41SAndroid Build Coastguard Worker
11*e4a36f41SAndroid Build Coastguard Worker# talk to keymint
12*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(keystore, hal_keymint)
13*e4a36f41SAndroid Build Coastguard Worker
14*e4a36f41SAndroid Build Coastguard Worker# This is used for the ConfirmationUI async callback.
15*e4a36f41SAndroid Build Coastguard Workerallow keystore platform_app:binder call;
16*e4a36f41SAndroid Build Coastguard Worker
17*e4a36f41SAndroid Build Coastguard Worker# Allow to check whether security logging is enabled.
18*e4a36f41SAndroid Build Coastguard Workerget_prop(keystore, device_logging_prop)
19*e4a36f41SAndroid Build Coastguard Worker
20*e4a36f41SAndroid Build Coastguard Worker# Allow keystore to check if the system is rkp only.
21*e4a36f41SAndroid Build Coastguard Workerget_prop(keystore, remote_prov_prop)
22*e4a36f41SAndroid Build Coastguard Worker
23*e4a36f41SAndroid Build Coastguard Worker# Allow keystore to check whether to post-process RKP certificates
24*e4a36f41SAndroid Build Coastguard Workerget_prop(keystore, remote_prov_cert_prop)
25*e4a36f41SAndroid Build Coastguard Worker
26*e4a36f41SAndroid Build Coastguard Worker# Allow keystore to check rkpd feature flags
27*e4a36f41SAndroid Build Coastguard Workerget_prop(keystore, device_config_remote_key_provisioning_native_prop)
28*e4a36f41SAndroid Build Coastguard Worker
29*e4a36f41SAndroid Build Coastguard Worker# Allow keystore to write to statsd.
30*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(keystore, statsdw, statsd)
31*e4a36f41SAndroid Build Coastguard Worker
32*e4a36f41SAndroid Build Coastguard Worker# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
33*e4a36f41SAndroid Build Coastguard Workerallow keystore keystore2_key_contexts_file:file r_file_perms;
34*e4a36f41SAndroid Build Coastguard Worker
35*e4a36f41SAndroid Build Coastguard Worker# Allow keystore to listen to changing boot levels
36*e4a36f41SAndroid Build Coastguard Workerget_prop(keystore, keystore_listen_prop)
37*e4a36f41SAndroid Build Coastguard Worker
38*e4a36f41SAndroid Build Coastguard Worker# Keystore needs to transfer binder references to vold so that it
39*e4a36f41SAndroid Build Coastguard Worker# can call keystore methods on those references.
40*e4a36f41SAndroid Build Coastguard Workerallow keystore vold:binder transfer;
41*e4a36f41SAndroid Build Coastguard Worker
42*e4a36f41SAndroid Build Coastguard Workerset_prop(keystore, keystore_crash_prop)
43*e4a36f41SAndroid Build Coastguard Worker
44*e4a36f41SAndroid Build Coastguard Worker# keystore is using apex_info via libvintf
45*e4a36f41SAndroid Build Coastguard Workeruse_apex_info(keystore)
46*e4a36f41SAndroid Build Coastguard Worker
47*e4a36f41SAndroid Build Coastguard Workertypeattribute keystore mlstrustedsubject;
48*e4a36f41SAndroid Build Coastguard Workerbinder_use(keystore)
49*e4a36f41SAndroid Build Coastguard Workerbinder_service(keystore)
50*e4a36f41SAndroid Build Coastguard Workerbinder_call(keystore, remote_provisioning_service_server)
51*e4a36f41SAndroid Build Coastguard Workerbinder_call(keystore, rkp_cert_processor)
52*e4a36f41SAndroid Build Coastguard Workerbinder_call(keystore, system_server)
53*e4a36f41SAndroid Build Coastguard Workerbinder_call(keystore, wificond)
54*e4a36f41SAndroid Build Coastguard Worker
55*e4a36f41SAndroid Build Coastguard Workerallow keystore keystore_data_file:dir create_dir_perms;
56*e4a36f41SAndroid Build Coastguard Workerallow keystore keystore_data_file:notdevfile_class_set create_file_perms;
57*e4a36f41SAndroid Build Coastguard Workerallow keystore keystore_exec:file { getattr };
58*e4a36f41SAndroid Build Coastguard Worker
59*e4a36f41SAndroid Build Coastguard Workeradd_service(keystore, keystore_service)
60*e4a36f41SAndroid Build Coastguard Workerallow keystore sec_key_att_app_id_provider_service:service_manager find;
61*e4a36f41SAndroid Build Coastguard Workerallow keystore remote_provisioning_service:service_manager find;
62*e4a36f41SAndroid Build Coastguard Workerallow keystore rkp_cert_processor_service:service_manager find;
63*e4a36f41SAndroid Build Coastguard Worker
64*e4a36f41SAndroid Build Coastguard Workeradd_service(keystore, apc_service)
65*e4a36f41SAndroid Build Coastguard Workeradd_service(keystore, keystore_compat_hal_service)
66*e4a36f41SAndroid Build Coastguard Workeradd_service(keystore, authorization_service)
67*e4a36f41SAndroid Build Coastguard Workeradd_service(keystore, keystore_maintenance_service)
68*e4a36f41SAndroid Build Coastguard Workeradd_service(keystore, keystore_metrics_service)
69*e4a36f41SAndroid Build Coastguard Workeradd_service(keystore, legacykeystore_service)
70*e4a36f41SAndroid Build Coastguard Worker
71*e4a36f41SAndroid Build Coastguard Worker# Check SELinux permissions.
72*e4a36f41SAndroid Build Coastguard Workerselinux_check_access(keystore)
73*e4a36f41SAndroid Build Coastguard Worker
74*e4a36f41SAndroid Build Coastguard Workerr_dir_file(keystore, cgroup)
75*e4a36f41SAndroid Build Coastguard Workerr_dir_file(keystore, cgroup_v2)
76*e4a36f41SAndroid Build Coastguard Worker
77*e4a36f41SAndroid Build Coastguard Worker# The software KeyMint implementation used in km_compat needs
78*e4a36f41SAndroid Build Coastguard Worker# to read the vendor security patch level.
79*e4a36f41SAndroid Build Coastguard Workerget_prop(keystore, vendor_security_patch_level_prop);
80*e4a36f41SAndroid Build Coastguard Worker
81*e4a36f41SAndroid Build Coastguard Worker# Allow keystore to read its vendor configuration
82*e4a36f41SAndroid Build Coastguard Workerget_prop(keystore, keystore_config_prop)
83*e4a36f41SAndroid Build Coastguard Worker
84*e4a36f41SAndroid Build Coastguard Worker###
85*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules
86*e4a36f41SAndroid Build Coastguard Worker###
87*e4a36f41SAndroid Build Coastguard Worker### Protect ourself from others
88*e4a36f41SAndroid Build Coastguard Worker###
89*e4a36f41SAndroid Build Coastguard Worker
90*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
91*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
92*e4a36f41SAndroid Build Coastguard Worker
93*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -keystore -init } keystore_data_file:dir *;
94*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
95*e4a36f41SAndroid Build Coastguard Worker
96*e4a36f41SAndroid Build Coastguard Workerneverallow * keystore:process ptrace;
97*e4a36f41SAndroid Build Coastguard Worker
98*e4a36f41SAndroid Build Coastguard Worker# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
99*e4a36f41SAndroid Build Coastguard Worker# system property, an exception is added for init as well.
100*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -keystore -init } keystore_crash_prop:property_service set;
101