commit 21ab75279a4af7684910dab4e28b48ca0910362b
author Tianjie <xunchang@google.com> Tue Dec 15 16:57:26 2020 -0800
committer Tianjie <xunchang@google.com> Thu Mar 04 12:20:19 2021 -0800
tree 3d68b242cb944a00e4835eac926159df14b0581f
parent 89bd64cd0df774e8a57c128484658f9b577b5a69

Give resume_on_reboot key as separate context

As part of the keystore2 requirement, we give the keys used for
resume on reboot a separate context in keystore. And grant system
server the permission to generate, use and delete it.

Bug: 172780686
Test: resume on reboot works after using keystore2
Change-Id: I6b47625a0864a4aa87b815c6d2009cc19ad151a0

private/keystore2_key_contexts

diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 9612b90..5695cc3 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -20,3 +20,6 @@
 # namespace in keystore.
 102            u:object_r:wifi_key:s0
 
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120            u:object_r:resume_on_reboot_key:s0
+

private/keystore_keys.te

diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 990bc29..8d33d5d 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -13,3 +13,7 @@
 
 # A keystore2 namespace for the on-device signing daemon.
 type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index c0c7c16..7d26410 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -891,6 +891,15 @@
 	use
 };
 
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;