Give resume_on_reboot key as separate context As part of the keystore2 requirement, we give the keys used for resume on reboot a separate context in keystore. And grant system server the permission to generate, use and delete it. Bug: 172780686 Test: resume on reboot works after using keystore2 Change-Id: I6b47625a0864a4aa87b815c6d2009cc19ad151a0

commit: 21ab75279a4af7684910dab4e28b48ca0910362b [log] [tgz]
author: Tianjie <xunchang@google.com> Tue Dec 15 16:57:26 2020 -0800
committer: Tianjie <xunchang@google.com> Thu Mar 04 12:20:19 2021 -0800
tree: 3d68b242cb944a00e4835eac926159df14b0581f
parent: 89bd64cd0df774e8a57c128484658f9b577b5a69 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index c0c7c16..7d26410 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -891,6 +891,15 @@
 	use
 };
 
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
commit	21ab75279a4af7684910dab4e28b48ca0910362b	[log] [tgz]
author	Tianjie <xunchang@google.com>	Tue Dec 15 16:57:26 2020 -0800
committer	Tianjie <xunchang@google.com>	Thu Mar 04 12:20:19 2021 -0800
tree	3d68b242cb944a00e4835eac926159df14b0581f
parent	89bd64cd0df774e8a57c128484658f9b577b5a69 [diff] [blame]