| type keystore, domain; |
| type keystore_exec, exec_type, file_type; |
| |
| # keystore daemon |
| init_daemon_domain(keystore) |
| typeattribute keystore mlstrustedsubject; |
| binder_use(keystore) |
| binder_service(keystore) |
| allow keystore keystore_data_file:dir create_dir_perms; |
| allow keystore keystore_data_file:notdevfile_class_set create_file_perms; |
| allow keystore keystore_exec:file { getattr }; |
| allow keystore tee_device:chr_file rw_file_perms; |
| allow keystore tee:unix_stream_socket connectto; |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### Protect ourself from others |
| ### |
| |
| neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto }; |
| neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; |
| |
| neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *; |
| neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *; |
| |
| neverallow domain keystore:process ptrace; |
| |
| allow keystore keystore_service:service_manager add; |
| |
| # Check SELinux permissions. |
| selinux_check_access(keystore) |