am 258ea8ed: am e207986e: SELinux permissions for gatekeeper TEE proxy

* commit '258ea8ed2e199855b4384ce11d7861fb7ae84683': SELinux permissions for gatekeeper TEE proxy
author: Andres Morales <anmorales@google.com> 2015-04-07 00:32:50 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-04-07 00:32:50 +0000
commit: 151a02a9bc4a9ce22bed2bc4310bb91a986c564f (patch)
tree: c72451e7e8673b6cad6358978529c745094483dc
parent: 2c223578f5aef804d9268a9f10d08bfd9d786f9c (diff)
parent: 258ea8ed2e199855b4384ce11d7861fb7ae84683 (diff)
download: android_external_sepolicy-151a02a9bc4a9ce22bed2bc4310bb91a986c564f.tar.gz
android_external_sepolicy-151a02a9bc4a9ce22bed2bc4310bb91a986c564f.tar.bz2
android_external_sepolicy-151a02a9bc4a9ce22bed2bc4310bb91a986c564f.zip
7 files changed, 22 insertions, 2 deletions
diff --git a/dumpstate.te b/dumpstate.te
index 450ca9a..43daac4 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -107,7 +107,7 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
-allow dumpstate service_manager_type:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 service_manager_local_audit_domain(dumpstate)
 
diff --git a/file_contexts b/file_contexts
index 45a3549..7ef7b3c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -147,6 +147,7 @@
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
 /system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
 /system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
diff --git a/gatekeeperd.te b/gatekeeperd.te
new file mode 100644
index 0000000..45bf7d9
--- /dev/null
+++ b/gatekeeperd.te
@@ -0,0 +1,15 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, exec_type, file_type;
+
+# gatekeeperd
+init_daemon_domain(gatekeeperd)
+binder_use(gatekeeperd)
+binder_service(gatekeeperd)
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+
+allow gatekeeperd gatekeeper_service:service_manager { add find };
+
+allow gatekeeperd keystore:keystore_key { add_auth };
+
+neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
+neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/service.te b/service.te
index a11e641..2341ff0 100644
--- a/service.te
+++ b/service.te
@@ -4,6 +4,7 @@ type drmserver_service,         service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
+type gatekeeper_service,        service_manager_type;
 type mediaserver_service,       service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
diff --git a/service_contexts b/service_contexts
index aa1aa22..37b18e1 100644
--- a/service_contexts
+++ b/service_contexts
@@ -3,6 +3,7 @@ account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
 assetatlas                                u:object_r:assetatlas_service:s0
diff --git a/shell.te b/shell.te
index cfadf77..0ce2cc4 100644
--- a/shell.te
+++ b/shell.te
@@ -59,7 +59,8 @@ allow shell kernel:system syslog_read;
 
 # allow shell access to services
 allow shell servicemanager:service_manager list;
-allow shell service_manager_type:service_manager find;
+# don't allow shell to access GateKeeper service
+allow shell { service_manager_type -gatekeeper_service }:service_manager find;
 service_manager_local_audit_domain(shell)
 
 # allow shell to look through /proc/ for ps, top
diff --git a/system_server.te b/system_server.te
index 0b970be..fd72ced 100644
--- a/system_server.te
+++ b/system_server.te
@@ -362,6 +362,7 @@ allow system_server pstorefs:file r_file_perms;
 allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
author	Andres Morales <anmorales@google.com>	2015-04-07 00:32:50 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-04-07 00:32:50 +0000
commit	151a02a9bc4a9ce22bed2bc4310bb91a986c564f (patch)
tree	c72451e7e8673b6cad6358978529c745094483dc
parent	2c223578f5aef804d9268a9f10d08bfd9d786f9c (diff)
parent	258ea8ed2e199855b4384ce11d7861fb7ae84683 (diff)
download	android_external_sepolicy-151a02a9bc4a9ce22bed2bc4310bb91a986c564f.tar.gz android_external_sepolicy-151a02a9bc4a9ce22bed2bc4310bb91a986c564f.tar.bz2 android_external_sepolicy-151a02a9bc4a9ce22bed2bc4310bb91a986c564f.zip