Add convert_storage_key_to_ephemeral to keystore2_key access vector Introduce the convert_storage_key_to_ephemeral permission to the keystore2_key access vector and give vold permission to use it. This permission must be checked when a caller wants to get a per-boot ephemeral key from a long lived wrapped storage key. Bug: 181806377 Bug: 181910578 Change-Id: I542c084a8fab5153bc98212af64234e62e9ad032

commit: 0653374e716dc1b259783d372fad83caa7eaef67 [log] [tgz]
author: Satya Tangirala <satyat@google.com> Mon Mar 08 09:48:42 2021 -0800
committer: Satya Tangirala <satyat@google.com> Sun Mar 21 14:14:28 2021 -0700
tree: 6e655764b69024adb525f02c07da6db038dde733
parent: 158db41e21fcfa0971ffddb8be222e9ceab09253 [diff] [blame]
diff --git a/private/vold.te b/private/vold.te
index 09388f1..ba5ad8c 100644
--- a/private/vold.te
+++ b/private/vold.te

@@ -35,6 +35,7 @@
 # Vold will use Keystore instead of using Keymint directly. But it still needs
 # to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
 allow vold vold_key:keystore2_key {
+    convert_storage_key_to_ephemeral
     delete
     get_info
     manage_blob
commit	0653374e716dc1b259783d372fad83caa7eaef67	[log] [tgz]
author	Satya Tangirala <satyat@google.com>	Mon Mar 08 09:48:42 2021 -0800
committer	Satya Tangirala <satyat@google.com>	Sun Mar 21 14:14:28 2021 -0700
tree	6e655764b69024adb525f02c07da6db038dde733
parent	158db41e21fcfa0971ffddb8be222e9ceab09253 [diff] [blame]