Make Keystore equivalent policy for Keystore2

Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
This commit is contained in:
Janis Danisevskis 2020-07-27 12:53:20 -07:00
parent 6b1d1b8ccb
commit 5e47d9fab0
9 changed files with 40 additions and 0 deletions

View file

@ -18,5 +18,7 @@ allow binderservicedomain appdomain:fifo_file write;
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
use_keystore(binderservicedomain)

View file

@ -120,6 +120,9 @@ neverallow {
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain

View file

@ -33,6 +33,7 @@ binder_call(gmscore_app, statsd)
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;

View file

@ -136,6 +136,16 @@ allow system_app keystore:keystore_key {
user_changed
};
allow system_app keystore:keystore2_key {
delete
get_info
grant
list
rebind
update
use
};
# settings app reads /proc/version
allow system_app {
proc_version

View file

@ -824,6 +824,26 @@ allow system_server keystore:keystore_key {
user_changed
};
allow system_server keystore:keystore2 {
add_auth
clear_ns
get_state
lock
reset
unlock
};
allow system_server keystore:keystore2_key {
delete
use_dev_id
grant
get_info
list
rebind
update
use
};
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;

View file

@ -295,6 +295,7 @@ control_logd({ appdomain -ephemeral_app })
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
use_keystore({ appdomain -isolated_app -ephemeral_app })

View file

@ -18,6 +18,7 @@ allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
allow fingerprintd keystore:keystore_key { add_auth };
allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);

View file

@ -23,6 +23,7 @@ add_service(gatekeeperd, gatekeeper_service)
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
# For permissions checking
allow gatekeeperd system_server:binder call;

View file

@ -47,6 +47,7 @@ userdebug_or_eng(`
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;