Keystore 2.0: sepolicy changes for vold to use keystore2
Vold needs to be able to search for keystore2 and keystore2 maintenance
services, and call methods provided by those services.
Bug: 181910578
Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be
diff --git a/private/keystore.te b/private/keystore.te
index 85f1517..aa902d5 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -24,3 +24,8 @@
allow keystore keystore2_key_contexts_file:file r_file_perms;
get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;
diff --git a/private/vold.te b/private/vold.te
index 93a3515..d794abf 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -45,7 +45,11 @@
use
};
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
# vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
# vold needs to be able to call earlyBootEnded()
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 85a28da..8878acf 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -7,3 +7,9 @@
hal_client_domain(wait_for_keymaster, hal_keymaster)
allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
+
+# wait_for_keymaster needs to find keystore and call methods with the returned
+# binder reference.
+allow wait_for_keymaster servicemanager:binder call;
+allow wait_for_keymaster keystore_service:service_manager find;
+allow wait_for_keymaster keystore:binder call;