Setup vold_key keystore2_key namespace. Allow vold to access its namespace using raw Keymint blobs. Test: keystore2_test runs some tests against this policy. Bug: 160623310 Bug: 158500146 Change-Id: Iaf338f1ac48dd56ef6e1b73cb3b8634a91e8bf9f Merged-In: Iaf338f1ac48dd56ef6e1b73cb3b8634a91e8bf9f

commit: 32d7738224ab635cd0e6d5acb1bb6492ba1dd4d5 [log] [tgz]
author: Janis Danisevskis <jdanis@google.com> Fri Jul 31 22:22:49 2020 -0700
committer: Janis Danisevskis <jdanis@google.com> Wed Aug 05 16:11:48 2020 +0000
tree: 2ede1701a839e3047b621378f2b9a2373614301c
parent: abb93f24c027ed7751e107373237d2c42d434b7a [diff] [blame]
diff --git a/private/vold.te b/private/vold.te
index e62d7a9..d286e8f 100644
--- a/private/vold.te
+++ b/private/vold.te

@@ -30,3 +30,16 @@
 set_prop(vold, restorecon_prop)
 set_prop(vold, ota_prop)
 set_prop(vold, boottime_prop)
+
+# Vold will use Keystore instead of using Keymint directly. But it still needs
+# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
+allow vold vold_key:keystore2_key {
+    delete
+    get_info
+    list
+    manage_blob
+    rebind
+    req_forced_op
+    update
+    use
+};
commit	32d7738224ab635cd0e6d5acb1bb6492ba1dd4d5	[log] [tgz]
author	Janis Danisevskis <jdanis@google.com>	Fri Jul 31 22:22:49 2020 -0700
committer	Janis Danisevskis <jdanis@google.com>	Wed Aug 05 16:11:48 2020 +0000
tree	2ede1701a839e3047b621378f2b9a2373614301c
parent	abb93f24c027ed7751e107373237d2c42d434b7a [diff] [blame]