Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d3451f88bead7e9c2fd9c9df01f76b379532242f^! / .
commitd3451f88bead7e9c2fd9c9df01f76b379532242f[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Mon Jul 27 13:06:11 2020 -0700
committerJanis Danisevskis <jdanis@google.com>Wed Aug 05 16:11:48 2020 +0000
tree6078ddf2e18a9b7bdfef2b9b08f8763c9892f3f1
parent32d7738224ab635cd0e6d5acb1bb6492ba1dd4d5 [diff]
Add `su_key`, a keystore2_key namespace for `su`.

Add a keystore2_key namespace that can be used by `su` for testing.

Test: keystore2_test
Bug: 158500146
Bug: 160623310
Bug: 159466840
Change-Id: I017a10ad8c7fce28e8bc921b764e65c49bae5107
Merged-In: I017a10ad8c7fce28e8bc921b764e65c49bae5107

diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 49dbeae..43a39e5 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts

@@ -4,6 +4,9 @@
 # <namespace> <label>
 #
 # <namespace> must be an integer in the interval [0 ...  2^31)
+# su_key is a keystore_key namespace for the su domain intended for native tests.
+0              u:object_r:su_key:s0
+
 # vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
 100            u:object_r:vold_key:s0
 

diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 9fc5292..99211bf 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te

@@ -1,6 +1,9 @@
 # Specify keystore2_key namespaces in this file.
 # Please keep the names in alphabetical order and comment each new entry.
 
+# A keystore2 namespace for the su domain. Mainly used for native tests.
+type su_key, keystore2_key_type;
+
 # A keystore2 namespace for vold. Vold need special permission to handle
 # its own Keymint blobs.
 type vold_key, keystore2_key_type;

diff --git a/private/su.te b/private/su.te
index 16e47bb..072e8db 100644
--- a/private/su.te
+++ b/private/su.te

@@ -20,4 +20,8 @@
   permissive su;
 
   app_domain(su)
+
+  # Do not audit accesses to keystore2 namespace for the su domain.
+  dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
 ')