Allow mini-keyctl to setattr for restricting keyring This fix the current denial during boot. Test: no more avd denial in dmesg Bug: 112038861 Change-Id: Ie3c3788ff011bcee189b83cfccba6137580f804d

commit: f7bf277313ae9a26da44f3901f5a3333e919e305 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Tue Mar 12 13:46:53 2019 -0700
committer: Victor Hsieh <victorhsieh@google.com> Tue Mar 12 13:46:53 2019 -0700
tree: bde76d2d28f3f543388e413ea09859c351ec384d
parent: 475f6d143f6ece9270c556c4159f245cb58c2bd3 [diff]
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
index c81a17c..53dbfce 100644
--- a/private/mini_keyctl.te
+++ b/private/mini_keyctl.te

@@ -8,7 +8,7 @@
 # Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
 dontaudit mini-keyctl init:key view;
 dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl kernel:key { view search write setattr };
 allow mini-keyctl mini-keyctl:key { view search write };
 
 # When kernel requests an algorithm, the crypto API first looks for an
commit	f7bf277313ae9a26da44f3901f5a3333e919e305	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Tue Mar 12 13:46:53 2019 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Tue Mar 12 13:46:53 2019 -0700
tree	bde76d2d28f3f543388e413ea09859c351ec384d
parent	475f6d143f6ece9270c556c4159f245cb58c2bd3 [diff]