Move list permission from keystore2_key to keystore class.

The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.

Ignore-AOSP-First: This needs to land in googleplex first to updated
                   prebuilt vendor images. Otherwise it breaks
                   aosp-with-phone builds.
Test: N/A
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8

private/access_vectors

@@ -716,6 +716,7 @@ class keystore2
 	add_auth
 	clear_ns
 	get_state
+	list
 	lock
 	reset
 	unlock
@@ -727,7 +728,6 @@ class keystore2_key
 	gen_unique_id
 	get_info
 	grant
-	list
 	manage_blob
 	rebind
 	req_forced_op

private/binderservicedomain.te

@@ -19,6 +19,6 @@ allow binderservicedomain permission_service:service_manager find;
 
 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
+allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
 
 use_keystore(binderservicedomain)

private/shell.te

@@ -152,4 +152,4 @@ userdebug_or_eng(`
 allow shell keystore2_key_contexts_file:file r_file_perms;
 
 # Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
-allow shell shell_key:keystore2_key { delete rebind use get_info list update };
+allow shell shell_key:keystore2_key { delete rebind use get_info update };

private/system_app.te

@@ -139,7 +139,6 @@ allow system_app keystore:keystore2_key {
     delete
     get_info
     grant
-    list
     rebind
     update
     use

private/system_server.te

@@ -837,7 +837,6 @@ allow system_server keystore:keystore2_key {
 	use_dev_id
 	grant
 	get_info
-	list
 	rebind
 	update
 	use

private/vold.te

@@ -37,7 +37,6 @@ set_prop(vold, boottime_public_prop)
 allow vold vold_key:keystore2_key {
     delete
     get_info
-    list
     manage_blob
     rebind
     req_forced_op

public/app.te

@@ -295,7 +295,7 @@ control_logd({ appdomain -ephemeral_app })
 allow appdomain zygote:unix_dgram_socket write;
 
 allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
 
 use_keystore({ appdomain -isolated_app -ephemeral_app })