Stop granting permissions on keystore_key class
When keystore was replaced with keystore2 in Android 12, the SELinux
class of keystore keys was changed from keystore_key to keystore2_key.
However, the rules that granted access to keystore_key were never
removed. This CL removes them, as they are no longer needed.
Don't actually remove the class and its permissions from
private/security_classes and private/access_vectors. That would break
the build because they're referenced by rules in prebuilts/.
Bug: 171305684
Test: atest CtsKeystoreTestCases
Flag: exempt, removing obsolete code
Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3
diff --git a/private/app.te b/private/app.te
index 3c6e5d0..3f838a6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -176,7 +176,6 @@
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 21349df..62be63c 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,7 +18,6 @@
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
diff --git a/private/domain.te b/private/domain.te
index 1ecb7b6..0861fa5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -214,7 +214,6 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b662f4f..859c2ec 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -36,7 +36,6 @@
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
diff --git a/private/keystore.te b/private/keystore.te
index cd2ef76..73961ac 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,7 +26,7 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
# Allow keystore to listen to changing boot levels
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 3833971..868bf15 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,10 +4,10 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
0 u:object_r:su_key:s0
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
1 u:object_r:shell_key:s0
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
diff --git a/private/system_app.te b/private/system_app.te
index d0d88e9..4f344cc 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -120,26 +120,6 @@
# Ignore access to zram when Debug.getMemInfo is called.
dontaudit system_app sysfs_zram:dir search;
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
allow system_app keystore:keystore2_key {
delete
get_info
diff --git a/private/system_server.te b/private/system_server.te
index c3a56b5..a09dd44 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -973,27 +973,6 @@
add_service(system_server, batteryproperties_service)
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
allow system_server keystore:keystore2 {
add_auth
change_password