Merge "Add keystore_key:attest_unique_id to priv_app." into oc-dev

commit: b36c9bcd05bb8d91bedfa99a920c7f52cf1b5b96 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Thu Apr 13 14:38:15 2017 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu Apr 13 14:38:15 2017 +0000
tree: 250a1c179302f2b62374dd585768bc26e189bf46
parent: f6daa78a82ea11f0fbbeb22ed7150066f664fd07 [diff]
parent: a0c7f01299c41157d123da0792fbf9ce2a26f9d3 [diff]
diff --git a/private/access_vectors b/private/access_vectors
index dcd86c2..6b08d9e 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -702,6 +702,7 @@
 	clear_uid
 	add_auth
 	user_changed
+	gen_unique_id
 }
 
 class drmservice {

diff --git a/private/domain.te b/private/domain.te
index 6f8814e..d37a0bd 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -13,3 +13,6 @@
   -system_server
   userdebug_or_eng(`-perfprofd')
 } self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;

diff --git a/private/priv_app.te b/private/priv_app.te
index 38ce673..a703ba8 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -114,6 +114,9 @@
 # TODO: narrow this to just MediaProvider
 allow priv_app mnt_media_rw_file:dir search;
 
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
 read_runtime_log_tags(priv_app)
 
 ###
commit	b36c9bcd05bb8d91bedfa99a920c7f52cf1b5b96	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Thu Apr 13 14:38:15 2017 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu Apr 13 14:38:15 2017 +0000
tree	250a1c179302f2b62374dd585768bc26e189bf46
parent	f6daa78a82ea11f0fbbeb22ed7150066f664fd07 [diff]
parent	a0c7f01299c41157d123da0792fbf9ce2a26f9d3 [diff]