commit abb93f24c027ed7751e107373237d2c42d434b7a
author Janis Danisevskis <jdanis@google.com> Mon Jul 27 12:53:20 2020 -0700
committer Janis Danisevskis <jdanis@google.com> Wed Aug 05 16:11:48 2020 +0000
tree 422f2da434057359f53d03139f9d3aa99f6978de
parent 24f3dce0cad0af1a198fb579a886f146548b8d8c

Make Keystore equivalent policy for Keystore2

Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc

private/binderservicedomain.te

diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 0891ee5..cbe8ed7 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,5 +18,7 @@
 allow binderservicedomain permission_service:service_manager find;
 
 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
 
 use_keystore(binderservicedomain)

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 7735ad7..6581b11 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -120,6 +120,9 @@
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
 
 neverallow {
   domain

private/gmscore_app.te

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 6ef3ade..f882ab0 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -33,6 +33,7 @@
 
 # Allow GMS core to generate unique hardware IDs
 allow gmscore_app keystore:keystore_key gen_unique_id;
+allow gmscore_app keystore:keystore2_key gen_unique_id;
 
 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
 allow gmscore_app selinuxfs:file r_file_perms;

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 5a2a561..a052f1d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -136,6 +136,16 @@
     user_changed
 };
 
+allow system_app keystore:keystore2_key {
+    delete
+    get_info
+    grant
+    list
+    rebind
+    update
+    use
+};
+
 # settings app reads /proc/version
 allow system_app {
   proc_version

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 0622908..5382508 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -824,6 +824,26 @@
 	user_changed
 };
 
+allow system_server keystore:keystore2 {
+	add_auth
+	clear_ns
+	get_state
+	lock
+	reset
+	unlock
+};
+
+allow system_server keystore:keystore2_key {
+	delete
+	use_dev_id
+	grant
+	get_info
+	list
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;