1 type gatekeeperd, domain; 2 type gatekeeperd_exec, exec_type, file_type; 3 4 # gatekeeperd 5 init_daemon_domain(gatekeeperd) 6 binder_service(gatekeeperd) 7 binder_use(gatekeeperd) 8 allow gatekeeperd tee_device:chr_file rw_file_perms; 9 10 # need to find KeyStore and add self 11 allow gatekeeperd gatekeeper_service:service_manager { add find }; 12 13 # Need to add auth tokens to KeyStore 14 use_keystore(gatekeeperd) 15 allow gatekeeperd keystore:keystore_key { add_auth }; 16 17 # For permissions checking 18 allow gatekeeperd system_server:binder call; 19 allow gatekeeperd permission_service:service_manager find; 20 # For parent user ID lookup 21 allow gatekeeperd user_service:service_manager find; 22 23 # for SID file access 24 allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; 25 allow gatekeeperd gatekeeper_data_file:file create_file_perms; 26 27 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add; 28
