commit bf074d25a43ed8b762bc2f76f842612c5078a98e
author Victor Hsieh <victorhsieh@google.com> Fri Mar 14 11:18:22 2025 -0700
committer Victor Hsieh <victorhsieh@google.com> Mon Mar 17 07:57:52 2025 -0700
tree e0b82313cd37350e5a3d42edac0825424b7786cd
parent 1bd25a69ef83e6d76497064078199fa8cce0216d

Restrict kernel keyring search capability

The original use case has already been deprecated.

Test: TH
Bug: 384942085
Change-Id: Icc01be819b89a2b2da23c601f393660cd042a771

flagging/Android.bp

diff --git a/flagging/Android.bp b/flagging/Android.bp
index c92991f..b9cef64 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -31,6 +31,7 @@
         "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
         "RELEASE_UNLOCKED_STORAGE_API",
         "RELEASE_BLUETOOTH_SOCKET_SERVICE",
+        "RELEASE_SEPOLICY_RESTRICT_KERNEL_KEYRING_SEARCH",
     ],
     export_to: ["all_selinux_flags"],
 }

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index b912aae..6999586 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -530,7 +530,9 @@
 
 # Needed for loading kernel modules.
 # TODO(384942085): Reduce the scope.
+is_flag_disabled(RELEASE_SEPOLICY_RESTRICT_KERNEL_KEYRING_SEARCH, `
 allow domain kernel:key search;
+')
 
 # Allow access to linkerconfig file
 allow domain linkerconfig_file:dir search;