1 type keystore, domain; 2 type keystore_exec, exec_type, file_type; 3 4 # keystore daemon 5 typeattribute keystore mlstrustedsubject; 6 binder_use(keystore) 7 binder_service(keystore) 8 binder_call(keystore, system_server) 9 10 allow keystore keystore_data_file:dir create_dir_perms; 11 allow keystore keystore_data_file:notdevfile_class_set create_file_perms; 12 allow keystore keystore_exec:file { getattr }; 13 14 add_service(keystore, keystore_service) 15 allow keystore sec_key_att_app_id_provider_service:service_manager find; 16 allow keystore dropbox_service:service_manager find; 17 18 # Check SELinux permissions. 19 selinux_check_access(keystore) 20 21 r_dir_file(keystore, cgroup) 22 23 ### 24 ### Neverallow rules 25 ### 26 ### Protect ourself from others 27 ### 28 29 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 30 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; 31 32 neverallow { domain -keystore -init } keystore_data_file:dir *; 33 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; 34 35 neverallow * keystore:process ptrace; 36
