Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578

commit: a0c7f01299c41157d123da0792fbf9ce2a26f9d3 [log] [tgz]
author: Shawn Willden <swillden@google.com> Tue Apr 11 09:41:25 2017 -0600
committer: Shawn Willden <swillden@google.com> Wed Apr 12 06:39:14 2017 -0600
tree: af8f80e4f1013541649c643a5ee7b85678073636
parent: 93b97da89fddb86867239cb451272a8fc7b4aa5c [diff] [blame]
diff --git a/private/priv_app.te b/private/priv_app.te
index 38ce673..a703ba8 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -114,6 +114,9 @@
 # TODO: narrow this to just MediaProvider
 allow priv_app mnt_media_rw_file:dir search;
 
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
 read_runtime_log_tags(priv_app)
 
 ###
commit	a0c7f01299c41157d123da0792fbf9ce2a26f9d3	[log] [tgz]
author	Shawn Willden <swillden@google.com>	Tue Apr 11 09:41:25 2017 -0600
committer	Shawn Willden <swillden@google.com>	Wed Apr 12 06:39:14 2017 -0600
tree	af8f80e4f1013541649c643a5ee7b85678073636
parent	93b97da89fddb86867239cb451272a8fc7b4aa5c [diff] [blame]