Stop granting permissions on keystore_key class
When keystore was replaced with keystore2 in Android 12, the SELinux
class of keystore keys was changed from keystore_key to keystore2_key.
However, the rules that granted access to keystore_key were never
removed. This CL removes them, as they are no longer needed.
Don't actually remove the class and its permissions from
private/security_classes and private/access_vectors. That would break
the build because they're referenced by rules in prebuilts/.
Bug: 171305684
Test: atest CtsKeystoreTestCases
Flag: exempt, removing obsolete code
Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3
diff --git a/private/app.te b/private/app.te
index 3c6e5d0..3f838a6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -176,7 +176,6 @@
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 21349df..62be63c 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,7 +18,6 @@
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
diff --git a/private/domain.te b/private/domain.te
index 1ecb7b6..0861fa5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -214,7 +214,6 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b662f4f..859c2ec 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -36,7 +36,6 @@
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
diff --git a/private/keystore.te b/private/keystore.te
index cd2ef76..73961ac 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,7 +26,7 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
# Allow keystore to listen to changing boot levels
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 3833971..868bf15 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,10 +4,10 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
0 u:object_r:su_key:s0
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
1 u:object_r:shell_key:s0
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
diff --git a/private/system_app.te b/private/system_app.te
index d0d88e9..4f344cc 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -120,26 +120,6 @@
# Ignore access to zram when Debug.getMemInfo is called.
dontaudit system_app sysfs_zram:dir search;
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
allow system_app keystore:keystore2_key {
delete
get_info
diff --git a/private/system_server.te b/private/system_server.te
index c3a56b5..a09dd44 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -973,27 +973,6 @@
add_service(system_server, batteryproperties_service)
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
allow system_server keystore:keystore2 {
add_auth
change_password
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 8cf2411..eab38dd 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -17,7 +17,6 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f8..0035bc6 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -22,7 +22,6 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
allow gatekeeperd authorization_service:service_manager find;
diff --git a/public/racoon.te b/public/racoon.te
index 00d10a4..b0383f0 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -25,10 +25,3 @@
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/public/su.te b/public/su.te
index bcdc322..2887740 100644
--- a/public/su.te
+++ b/public/su.te
@@ -48,7 +48,6 @@
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/wificond.te b/public/wificond.te
index 98db0d7..1bd89f5 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -33,11 +33,8 @@
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
allow wificond wifi_key:keystore2_key {
get_info
use