Add keystore permission for metrics re-routing.
Keystore2 atoms need to be rounted to statsd via a proxy.
The proxy needs to have this permission in order to pull metrics from
keystore.
Ignore-AOSP-First: No mergepath to AOSP.
Bug: 188590587
Test: Statsd Testdrive script
Change-Id: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
Merged-In: Ic94f4bb19a08b6300cfd2d3ed09b31d5b7081bfd
(cherry picked from commit 61d07e7ce067bbfee6a84f422e6c229382a1e4a1)
diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 22f2ffa..5ff7aef 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@@ -726,6 +726,7 @@
get_state
list
lock
+ pull_metrics
report_off_body
reset
unlock
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index 11260ba..4484823 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -70,6 +70,7 @@
hw_timeout_multiplier_prop
keystore_compat_hal_service
keystore_maintenance_service
+ keystore_metrics_service
keystore2_key_contexts_file
legacy_permission_service
legacykeystore_service
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
index f3bddd9..6d2b6a8 100644
--- a/prebuilts/api/31.0/private/service_contexts
+++ b/prebuilts/api/31.0/private/service_contexts
@@ -39,6 +39,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index f35f9a8..73301c1 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -853,6 +853,7 @@
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
clear_uid
get_state
lock
+ pull_metrics
reset
unlock
};
diff --git a/prebuilts/api/31.0/public/keystore.te b/prebuilts/api/31.0/public/keystore.te
index 43ee28d..b7d5090 100644
--- a/prebuilts/api/31.0/public/keystore.te
+++ b/prebuilts/api/31.0/public/keystore.te
@@ -20,6 +20,7 @@
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
index 967e6c4..8121d04 100644
--- a/prebuilts/api/31.0/public/service.te
+++ b/prebuilts/api/31.0/public/service.te
@@ -20,6 +20,7 @@
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
diff --git a/private/access_vectors b/private/access_vectors
index 22f2ffa..5ff7aef 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -726,6 +726,7 @@
get_state
list
lock
+ pull_metrics
report_off_body
reset
unlock
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3eabcb0..c943973 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -73,6 +73,7 @@
hw_timeout_multiplier_prop
keystore_compat_hal_service
keystore_maintenance_service
+ keystore_metrics_service
keystore2_key_contexts_file
legacy_permission_service
legacykeystore_service
diff --git a/private/service_contexts b/private/service_contexts
index e6b88c2..f8c1607 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -39,6 +39,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index d76a2a8..bea51d7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -853,6 +853,7 @@
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
clear_uid
get_state
lock
+ pull_metrics
reset
unlock
};
diff --git a/public/keystore.te b/public/keystore.te
index 43ee28d..b7d5090 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -20,6 +20,7 @@
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
diff --git a/public/service.te b/public/service.te
index f7b2ef5..756c31c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;