Add policy for property ro.android.security.keystore2.enable
Bug: 171563717
Bug: 171305684
Test: N/A
Change-Id: I323081fd2ce2fee80951c3d1e19b9935e4596705
diff --git a/private/property.te b/private/property.te
index 80966dc..bf73c3d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -20,6 +20,9 @@
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
+# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
+system_internal_prop(keystore2_enable_prop)
+
###
### Neverallow rules
###
@@ -470,3 +473,12 @@
} {
lower_kptr_restrict_prop
}:property_service set;
+
+# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
+neverallow {
+ -init
+ -dumpstate
+ -system_app
+ -system_server
+ -zygote
+} keystore2_enable_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 397beb1..2d90875 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -920,3 +920,7 @@
# zygote config property
zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
+
+# Enable Keystore 2.0.
+# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
+ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
diff --git a/private/system_app.te b/private/system_app.te
index 8fafce0..56b9746 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -164,6 +164,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
+get_prop(system_app, keystore2_enable_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 104bd97..031ea95 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1202,6 +1202,9 @@
# Read/Write /proc/pressure/memory
allow system_server proc_pressure_mem:file rw_file_perms;
+# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
+get_prop(system_server, keystore2_enable_prop)
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 4ae427d..fac9ad0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -209,6 +209,9 @@
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
+# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
+get_prop(zygote, keystore2_enable_prop)
+
###
### neverallow rules
###