Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc

commit: 1196d2a5763c9a99be99ba81a4a29d938a83cc06 [log] [tgz]
author: Riley Spahn <rileyspahn@google.com> Tue Jun 17 14:58:52 2014 -0700
committer: Riley Spahn <rileyspahn@google.com> Thu Jun 26 08:53:10 2014 -0700
tree: 03e20d5f1505006c66a8ffa3e60aa87c8ef50e91
parent: 8c6552acfba677442d565a0c7f8e44f5f2af57f2 [diff] [blame]
diff --git a/racoon.te b/racoon.te
index 6148255..8b09cdf 100644
--- a/racoon.te
+++ b/racoon.te

@@ -8,7 +8,6 @@
 net_domain(racoon)
 
 binder_use(racoon)
-binder_call(racoon, keystore)
 
 allow racoon tun_device:chr_file r_file_perms;
 allow racoon cgroup:dir { add_name create };
@@ -22,3 +21,12 @@
 allow racoon system_file:file rx_file_perms;
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+	get
+	sign
+	verify
+};
commit	1196d2a5763c9a99be99ba81a4a29d938a83cc06	[log] [tgz]
author	Riley Spahn <rileyspahn@google.com>	Tue Jun 17 14:58:52 2014 -0700
committer	Riley Spahn <rileyspahn@google.com>	Thu Jun 26 08:53:10 2014 -0700
tree	03e20d5f1505006c66a8ffa3e60aa87c8ef50e91
parent	8c6552acfba677442d565a0c7f8e44f5f2af57f2 [diff] [blame]