Keystore 2.0: Add permissions and policy for user manager AIDL.
Bug: 176123105
Test: User can set a password and unlock the phone.
Change-Id: I96c033328eb360413e82e82c0c69210dea2ddac9
diff --git a/private/access_vectors b/private/access_vectors
index 1420360..a02a2a8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -714,7 +714,10 @@
class keystore2
{
add_auth
+ change_password
+ change_user
clear_ns
+ clear_uid
get_state
list
lock
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3eace95..0e572a9 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -98,6 +98,7 @@
texttospeech_service
transformer_service
update_engine_stable_service
+ usermanager_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
diff --git a/private/service_contexts b/private/service_contexts
index 502403c..0c6e475 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -33,6 +33,7 @@
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.usermanager u:object_r:usermanager_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index e1919e2..a3e1f97 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -824,6 +824,7 @@
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
+allow system_server usermanager_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
userdebug_or_eng(`
@@ -855,7 +856,10 @@
allow system_server keystore:keystore2 {
add_auth
+ change_password
+ change_user
clear_ns
+ clear_uid
get_state
lock
reset
diff --git a/public/keystore.te b/public/keystore.te
index b8c599c..df650c1 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -19,6 +19,7 @@
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
+add_service(keystore, usermanager_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/service.te b/public/service.te
index aea1b7c..05e19df 100644
--- a/public/service.te
+++ b/public/service.te
@@ -39,6 +39,7 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
+type usermanager_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;