Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4a664e8d5d4876d01188733dd6ca5b825dcb7f85^! / .
commit4a664e8d5d4876d01188733dd6ca5b825dcb7f85[log] [tgz]
authorPaul Crowley <paulcrowley@google.com>Fri Aug 06 15:11:53 2021 -0700
committer[6;7~ <paulcrowley@google.com>Wed Aug 11 10:16:28 2021 -0700
tree12ee146b252aafea88e74aff25ece9795b560307
parent7c14f441093ff7b9570c105aa2a442ccbe231862 [diff]
Allow vold to deleteAllKeys in Keystore

Add deleteAllKeys to IKeystoreMaintenance and allow vold to call it.
Allow vold to read the property
`ro.crypto.metadata_init_delete_all_keys.enabled`

Bug: 187105270
Test: booted twice on Cuttlefish
Ignore-AOSP-First: no merge path to this branch from AOSP.
Merged-In: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524
Change-Id: I2fb0e94db9d35c1f19ca7acb2f541cfb13c23524

diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 5ff7aef..7496c65 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors

@@ -730,6 +730,7 @@
 	report_off_body
 	reset
 	unlock
+	delete_all_keys
 }
 
 class keystore2_key

diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 246ffcf..4cec734 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts

@@ -499,6 +499,7 @@
 ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
 ro.crypto.fde_algorithm                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.fde_sector_size                       u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.scrypt_params                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.set_dun                               u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.volume.contents_mode                  u:object_r:vold_config_prop:s0 exact string

diff --git a/prebuilts/api/31.0/private/vold.te b/prebuilts/api/31.0/private/vold.te
index a802bdb..de0fde4 100644
--- a/prebuilts/api/31.0/private/vold.te
+++ b/prebuilts/api/31.0/private/vold.te

@@ -53,8 +53,9 @@
 allow vold keystore_service:service_manager find;
 allow vold keystore_maintenance_service:service_manager find;
 
-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
 allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;
 
 neverallow {
     domain

diff --git a/private/access_vectors b/private/access_vectors
index 5ff7aef..7496c65 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -730,6 +730,7 @@
 	report_off_body
 	reset
 	unlock
+	delete_all_keys
 }
 
 class keystore2_key

diff --git a/private/property_contexts b/private/property_contexts
index 246ffcf..4cec734 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -499,6 +499,7 @@
 ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
 ro.crypto.fde_algorithm                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.fde_sector_size                       u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.scrypt_params                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.set_dun                               u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.volume.contents_mode                  u:object_r:vold_config_prop:s0 exact string

diff --git a/private/vold.te b/private/vold.te
index a802bdb..de0fde4 100644
--- a/private/vold.te
+++ b/private/vold.te

@@ -53,8 +53,9 @@
 allow vold keystore_service:service_manager find;
 allow vold keystore_maintenance_service:service_manager find;
 
-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
 allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;
 
 neverallow {
     domain