Merge changes from topic "keystore_api_for_credstore"
* changes:
Credstore: Add rules to allow credstore read keystore2_enable property.
Add get_auth_token permission to allow credstore to call keystore2.
diff --git a/private/access_vectors b/private/access_vectors
index a02a2a8..1ab4f73 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -718,6 +718,7 @@
change_user
clear_ns
clear_uid
+ get_auth_token
get_state
list
lock
diff --git a/private/credstore.te b/private/credstore.te
index 8d87e2f..a1c3263 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -4,3 +4,6 @@
# talk to Identity Credential
hal_client_domain(credstore, hal_identity)
+
+# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
+get_prop(credstore, keystore2_enable_prop)
diff --git a/private/property.te b/private/property.te
index 9ec2a1a..d9cc93c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -548,6 +548,7 @@
-system_app
-system_server
-zygote
+ -credstore
} keystore2_enable_prop:file no_rw_file_perms;
neverallow {
diff --git a/public/credstore.te b/public/credstore.te
index a2376d2..97d942d 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -12,6 +12,8 @@
add_service(credstore, credstore_service)
allow credstore sec_key_att_app_id_provider_service:service_manager find;
allow credstore dropbox_service:service_manager find;
+allow credstore authorization_service:service_manager find;
+allow credstore keystore:keystore2 get_auth_token;
r_dir_file(credstore, cgroup)
r_dir_file(credstore, cgroup_v2)