Merge "init sets keystore.boot_level, keystore reads"
diff --git a/private/init.te b/private/init.te
index f00c65c..348673b 100644
--- a/private/init.te
+++ b/private/init.te
@@ -80,3 +80,6 @@
# Only init can write ro.property_service.version
neverallow { -init } property_service_version_prop:property_service set;
+
+# Only init can set keystore.boot_level
+neverallow { -init } keystore_listen_prop:property_service set;
diff --git a/private/keystore.te b/private/keystore.te
index 5cded8a..85f1517 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -23,3 +23,4 @@
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
+get_prop(keystore, keystore_listen_prop)
diff --git a/private/property.te b/private/property.te
index 1ffb8ee..34c0fd8 100644
--- a/private/property.te
+++ b/private/property.te
@@ -15,6 +15,7 @@
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
+system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(lower_kptr_restrict_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 5c3a84c..22e0ff6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1075,6 +1075,9 @@
# TODO remove this property when Keystore 2.0 migration is complete b/171563717
persist.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
+# Broadcast boot stages, which keystore listens to
+keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string