ab5cf66873
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.
(cherry picked from commit effcac7d7e
)
Bug: 20526234
Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13
26 lines
798 B
Plaintext
26 lines
798 B
Plaintext
type gatekeeperd, domain;
|
|
type gatekeeperd_exec, exec_type, file_type;
|
|
|
|
# gatekeeperd
|
|
init_daemon_domain(gatekeeperd)
|
|
binder_service(gatekeeperd)
|
|
binder_use(gatekeeperd)
|
|
allow gatekeeperd tee_device:chr_file rw_file_perms;
|
|
|
|
# need to find KeyStore and add self
|
|
allow gatekeeperd gatekeeper_service:service_manager { add find };
|
|
|
|
# Need to add auth tokens to KeyStore
|
|
use_keystore(gatekeeperd)
|
|
allow gatekeeperd keystore:keystore_key { add_auth };
|
|
|
|
# For permissions checking
|
|
allow gatekeeperd system_server:binder call;
|
|
allow gatekeeperd permission_service:service_manager find;
|
|
|
|
# for SID file access
|
|
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
|
|
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
|
|
|
|
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
|