Stop granting permission to get_state of keystore2
The get_state permission of the "keystore2" class only guarded the
Binder API IKeystoreMaintenance#getState() served by keystore2. That
API has been removed because it was unused
(https://r.android.com/2768246). Therefore, stop granting the get_state
permission.
Don't actually remove the permission from private/access_vectors. That
would break the build because it's referenced by rules in prebuilts/.
Bug: 296464083
Test: atest CtsKeystoreTestCases
Change-Id: Ie6c7b17a8652f86a75d48c134a6e71a634d63772
diff --git a/private/app.te b/private/app.te
index 3f838a6..19cb2e0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -179,7 +179,6 @@
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 62be63c..b8ae9f4 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,7 +18,6 @@
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
-allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/system_server.te b/private/system_server.te
index a09dd44..f9627e3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -979,7 +979,6 @@
change_user
clear_ns
clear_uid
- get_state
lock
pull_metrics
reset