Make Keystore equivalent policy for Keystore2
Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 0891ee5..cbe8ed7 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,5 +18,7 @@
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
use_keystore(binderservicedomain)
diff --git a/private/domain.te b/private/domain.te
index 7735ad7..6581b11 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -120,6 +120,9 @@
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 6ef3ade..f882ab0 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -33,6 +33,7 @@
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
+allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 5a2a561..a052f1d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -136,6 +136,16 @@
user_changed
};
+allow system_app keystore:keystore2_key {
+ delete
+ get_info
+ grant
+ list
+ rebind
+ update
+ use
+};
+
# settings app reads /proc/version
allow system_app {
proc_version
diff --git a/private/system_server.te b/private/system_server.te
index 0622908..5382508 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -824,6 +824,26 @@
user_changed
};
+allow system_server keystore:keystore2 {
+ add_auth
+ clear_ns
+ get_state
+ lock
+ reset
+ unlock
+};
+
+allow system_server keystore:keystore2_key {
+ delete
+ use_dev_id
+ grant
+ get_info
+ list
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
diff --git a/public/app.te b/public/app.te
index 95c4b0a..8263c09 100644
--- a/public/app.te
+++ b/public/app.te
@@ -295,6 +295,7 @@
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
use_keystore({ appdomain -isolated_app -ephemeral_app })
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index ff7a884..8cf2411 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -18,6 +18,7 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
allow fingerprintd keystore:keystore_key { add_auth };
+allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e1739c2..6ab9727 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -23,6 +23,7 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
+allow gatekeeperd keystore:keystore2 { add_auth };
# For permissions checking
allow gatekeeperd system_server:binder call;
diff --git a/public/su.te b/public/su.te
index 99d4603..cefc44d 100644
--- a/public/su.te
+++ b/public/su.te
@@ -47,6 +47,7 @@
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
+ dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;