Setup vold_key keystore2_key namespace.
Allow vold to access its namespace using raw Keymint blobs.
Test: keystore2_test runs some tests against this policy.
Bug: 160623310
Bug: 158500146
Change-Id: Iaf338f1ac48dd56ef6e1b73cb3b8634a91e8bf9f
Merged-In: Iaf338f1ac48dd56ef6e1b73cb3b8634a91e8bf9f
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 77c4c1e..49dbeae 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,4 +4,6 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
+# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
+100 u:object_r:vold_key:s0
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 757ca39..9fc5292 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -1,2 +1,6 @@
# Specify keystore2_key namespaces in this file.
# Please keep the names in alphabetical order and comment each new entry.
+
+# A keystore2 namespace for vold. Vold need special permission to handle
+# its own Keymint blobs.
+type vold_key, keystore2_key_type;
diff --git a/private/vold.te b/private/vold.te
index e62d7a9..d286e8f 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -30,3 +30,16 @@
set_prop(vold, restorecon_prop)
set_prop(vold, ota_prop)
set_prop(vold, boottime_prop)
+
+# Vold will use Keystore instead of using Keymint directly. But it still needs
+# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
+allow vold vold_key:keystore2_key {
+ delete
+ get_info
+ list
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+};