1type keystore, domain; 2type keystore_exec, system_file_type, exec_type, file_type; 3 4# keystore daemon 5typeattribute keystore mlstrustedsubject; 6binder_use(keystore) 7binder_service(keystore) 8binder_call(keystore, system_server) 9binder_call(keystore, wificond) 10 11allow keystore keystore_data_file:dir create_dir_perms; 12allow keystore keystore_data_file:notdevfile_class_set create_file_perms; 13allow keystore keystore_exec:file { getattr }; 14 15add_service(keystore, keystore_service) 16allow keystore sec_key_att_app_id_provider_service:service_manager find; 17allow keystore dropbox_service:service_manager find; 18 19# Check SELinux permissions. 20selinux_check_access(keystore) 21 22r_dir_file(keystore, cgroup) 23 24### 25### Neverallow rules 26### 27### Protect ourself from others 28### 29 30neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 31neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; 32 33neverallow { domain -keystore -init } keystore_data_file:dir *; 34neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; 35 36neverallow * keystore:process ptrace; 37