gatekeeperd: use more specific label for /data file

Use a more specific label for /data/misc/gatekeeper Rearrange some other rules. Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
author: Nick Kralevich <nnk@google.com> 2015-04-17 17:56:31 -0700
committer: Nick Kralevich <nnk@google.com> 2015-04-17 17:56:31 -0700
commit: 367757d2ef0ee5c8edc47ce8203a0d3369774e9c (patch)
tree: e6b2261fe6846c348c9e468905b0170c38a67705 /untrusted_app.te
parent: 6db824a7d909df2235ab6893a07aa9859ec99570 (diff)
download: android_external_sepolicy-367757d2ef0ee5c8edc47ce8203a0d3369774e9c.tar.gz
android_external_sepolicy-367757d2ef0ee5c8edc47ce8203a0d3369774e9c.tar.bz2
android_external_sepolicy-367757d2ef0ee5c8edc47ce8203a0d3369774e9c.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/untrusted_app.te b/untrusted_app.te
index 5ad8c79..1b7aaee 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -93,6 +93,10 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
+# Apps using KeyStore API will request the SID from GateKeeper
+allow untrusted_app gatekeeper_service:service_manager find;
+binder_call(untrusted_app, gatekeeperd)
+
 ###
 ### neverallow rules
 ###
author	Nick Kralevich <nnk@google.com>	2015-04-17 17:56:31 -0700
committer	Nick Kralevich <nnk@google.com>	2015-04-17 17:56:31 -0700
commit	367757d2ef0ee5c8edc47ce8203a0d3369774e9c (patch)
tree	e6b2261fe6846c348c9e468905b0170c38a67705 /untrusted_app.te
parent	6db824a7d909df2235ab6893a07aa9859ec99570 (diff)
download	android_external_sepolicy-367757d2ef0ee5c8edc47ce8203a0d3369774e9c.tar.gz android_external_sepolicy-367757d2ef0ee5c8edc47ce8203a0d3369774e9c.tar.bz2 android_external_sepolicy-367757d2ef0ee5c8edc47ce8203a0d3369774e9c.zip