Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / refs/tags/fp2-sibon-17.07.6 / . / gatekeeperd.te
blob: ca540c68fc8d054076fe1f15c2ed82b80aaa4d51 [file] [log] [blame]
Andres Moralese2079862015-04-03 16:46:33 -0700[diff] [blame]1type gatekeeperd, domain;
2type gatekeeperd_exec, exec_type, file_type;
3
4# gatekeeperd
5init_daemon_domain(gatekeeperd)
Alex Klyubinab5cf662015-04-28 16:51:26 -0700[diff] [blame]6binder_service(gatekeeperd)
Andres Moralese2079862015-04-03 16:46:33 -0700[diff] [blame]7binder_use(gatekeeperd)
Andres Moralese2079862015-04-03 16:46:33 -0700[diff] [blame]8allow gatekeeperd tee_device:chr_file rw_file_perms;
9
Andres Morales13abb172015-04-08 19:52:19 -0700[diff] [blame]10# need to find KeyStore and add self
Andres Moralese2079862015-04-03 16:46:33 -0700[diff] [blame]11allow gatekeeperd gatekeeper_service:service_manager { add find };
12
Andres Morales13abb172015-04-08 19:52:19 -0700[diff] [blame]13# Need to add auth tokens to KeyStore
Andres Moralesdd156fc2015-04-13 12:21:08 -0700[diff] [blame]14use_keystore(gatekeeperd)
Andres Moralese2079862015-04-03 16:46:33 -0700[diff] [blame]15allow gatekeeperd keystore:keystore_key { add_auth };
16
Andres Morales13abb172015-04-08 19:52:19 -0700[diff] [blame]17# For permissions checking
18allow gatekeeperd system_server:binder call;
19allow gatekeeperd permission_service:service_manager find;
Andres Morales54a4aab2015-08-04 17:42:22 -0700[diff] [blame]20# For parent user ID lookup
21allow gatekeeperd user_service:service_manager find;
Andres Morales13abb172015-04-08 19:52:19 -0700[diff] [blame]22
Andres Moralesb348f8f2015-04-16 13:40:57 -0700[diff] [blame]23# for SID file access
Nick Kralevich367757d2015-04-17 17:56:31 -0700[diff] [blame]24allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
25allow gatekeeperd gatekeeper_data_file:file create_file_perms;
Andres Moralesb348f8f2015-04-16 13:40:57 -0700[diff] [blame]26
Andres Moralese2079862015-04-03 16:46:33 -0700[diff] [blame]27neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;