1type gatekeeperd, domain, domain_deprecated; 2type gatekeeperd_exec, exec_type, file_type; 3 4# gatekeeperd 5init_daemon_domain(gatekeeperd) 6binder_service(gatekeeperd) 7binder_use(gatekeeperd) 8allow gatekeeperd tee_device:chr_file rw_file_perms; 9 10# need to find KeyStore and add self 11allow gatekeeperd gatekeeper_service:service_manager { add find }; 12 13# Need to add auth tokens to KeyStore 14use_keystore(gatekeeperd) 15allow gatekeeperd keystore:keystore_key { add_auth }; 16 17# For permissions checking 18allow gatekeeperd system_server:binder call; 19allow gatekeeperd permission_service:service_manager find; 20# For parent user ID lookup 21allow gatekeeperd user_service:service_manager find; 22 23# for SID file access 24allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; 25allow gatekeeperd gatekeeper_data_file:file create_file_perms; 26 27# For hardware properties retrieval 28allow gatekeeperd hardware_properties_service:service_manager find; 29 30neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add; 31