summaryrefslogtreecommitdiff
path: root/prebuilts/api/32.0/private/keystore.te
diff options
context:
space:
mode:
Diffstat (limited to 'prebuilts/api/32.0/private/keystore.te')
-rw-r--r--prebuilts/api/32.0/private/keystore.te36
1 files changed, 36 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/keystore.te b/prebuilts/api/32.0/private/keystore.te
new file mode 100644
index 000000000..884222412
--- /dev/null
+++ b/prebuilts/api/32.0/private/keystore.te
@@ -0,0 +1,36 @@
+typeattribute keystore coredomain;
+
+init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
+# Allow to check whether security logging is enabled.
+get_prop(keystore, device_logging_prop)
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
+
+get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;
+
+# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
+# system property, an exception is added for init as well.
+set_prop(keystore, keystore_crash_prop)
+neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 06:22:23 +0000