Add keystore2 namespace for LocksettingsService.
Bug: 184664830
Test: N/A
Change-Id: Ie04186eddaae689b968690b2bb0d3692c81ac645
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 5695cc3..3833971 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -16,10 +16,13 @@
# odsign_key is a keystore2_key namespace for the on-device signing daemon.
101 u:object_r:odsign_key:s0
-# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103 u:object_r:locksettings_key:s0
+
# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
120 u:object_r:resume_on_reboot_key:s0
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 8d33d5d..2f97608 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -14,6 +14,9 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
# A keystore2 namespace for resume on reboot.
type resume_on_reboot_key, keystore2_key_type;
diff --git a/private/system_server.te b/private/system_server.te
index 084ea22..1bab3e7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -905,6 +905,16 @@
use
};
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;