Merge "Allow on-device signing daemon to talk to keystore."
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 1c6573c..b926265 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -13,3 +13,5 @@
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
100 u:object_r:vold_key:s0
+# odsign_key is a keystore2_key namespace for the on-device signing daemon.
+101 u:object_r:odsign_key:s0
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index cff37eb..990bc29 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -10,3 +10,6 @@
# A keystore2 namespace for vold. Vold need special permission to handle
# its own Keymint blobs.
type vold_key, keystore2_key_type;
+
+# A keystore2 namespace for the on-device signing daemon.
+type odsign_key, keystore2_key_type;
diff --git a/private/odsign.te b/private/odsign.te
index b7fd1f4..b35a3ca 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -21,6 +21,20 @@
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
};
+# talk to binder services (for keystore)
+binder_use(odsign);
+
+# talk to keystore specifically
+use_keystore(odsign);
+
+# Use our dedicated keystore key
+allow odsign odsign_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ use
+};
+
# talk to keymaster
hal_client_domain(odsign, hal_keymaster)