1 type keystore, domain, domain_deprecated; 2 type keystore_exec, exec_type, file_type; 3 4 # keystore daemon 5 init_daemon_domain(keystore) 6 typeattribute keystore mlstrustedsubject; 7 binder_use(keystore) 8 binder_service(keystore) 9 allow keystore keystore_data_file:dir create_dir_perms; 10 allow keystore keystore_data_file:notdevfile_class_set create_file_perms; 11 allow keystore keystore_exec:file { getattr }; 12 allow keystore tee_device:chr_file rw_file_perms; 13 allow keystore tee:unix_stream_socket connectto; 14 15 allow keystore keystore_service:service_manager { add find }; 16 17 # Check SELinux permissions. 18 selinux_check_access(keystore) 19 20 ### 21 ### Neverallow rules 22 ### 23 ### Protect ourself from others 24 ### 25 26 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 27 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; 28 29 neverallow { domain -keystore -init } keystore_data_file:dir *; 30 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; 31 32 neverallow * keystore:process ptrace; 33