SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e

commit: e207986ea08feebd04f32cd2beff0b1602d08074 [log] [tgz]
author: Andres Morales <anmorales@google.com> Fri Apr 03 16:46:33 2015 -0700
committer: Andres Morales <anmorales@google.com> Mon Apr 06 16:46:58 2015 -0700
tree: 60709dfa0dfdcb796141f712848b81e4f003b6fc
parent: c24d90cb5991ee53842c8fddf526187767ec92ec [diff] [blame]
diff --git a/shell.te b/shell.te
index cfadf77..0ce2cc4 100644
--- a/shell.te
+++ b/shell.te

@@ -59,7 +59,8 @@
 
 # allow shell access to services
 allow shell servicemanager:service_manager list;
-allow shell service_manager_type:service_manager find;
+# don't allow shell to access GateKeeper service
+allow shell { service_manager_type -gatekeeper_service }:service_manager find;
 service_manager_local_audit_domain(shell)
 
 # allow shell to look through /proc/ for ps, top
commit	e207986ea08feebd04f32cd2beff0b1602d08074	[log] [tgz]
author	Andres Morales <anmorales@google.com>	Fri Apr 03 16:46:33 2015 -0700
committer	Andres Morales <anmorales@google.com>	Mon Apr 06 16:46:58 2015 -0700
tree	60709dfa0dfdcb796141f712848b81e4f003b6fc
parent	c24d90cb5991ee53842c8fddf526187767ec92ec [diff] [blame]