Make Keystore equivalent policy for Keystore2
Bug: 158500146 Bug: 159466840 Test: keystore2_test tests part of this policy Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
This commit is contained in:
parent
6b1d1b8ccb
commit
5e47d9fab0
9 changed files with 40 additions and 0 deletions
|
@ -18,5 +18,7 @@ allow binderservicedomain appdomain:fifo_file write;
|
|||
allow binderservicedomain permission_service:service_manager find;
|
||||
|
||||
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
allow binderservicedomain keystore:keystore2 { get_state };
|
||||
allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
|
||||
|
||||
use_keystore(binderservicedomain)
|
||||
|
|
|
@ -120,6 +120,9 @@ neverallow {
|
|||
|
||||
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
||||
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
|
||||
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
|
||||
neverallow { domain -system_server } *:keystore2_key use_dev_id;
|
||||
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -33,6 +33,7 @@ binder_call(gmscore_app, statsd)
|
|||
|
||||
# Allow GMS core to generate unique hardware IDs
|
||||
allow gmscore_app keystore:keystore_key gen_unique_id;
|
||||
allow gmscore_app keystore:keystore2_key gen_unique_id;
|
||||
|
||||
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
|
||||
allow gmscore_app selinuxfs:file r_file_perms;
|
||||
|
|
|
@ -136,6 +136,16 @@ allow system_app keystore:keystore_key {
|
|||
user_changed
|
||||
};
|
||||
|
||||
allow system_app keystore:keystore2_key {
|
||||
delete
|
||||
get_info
|
||||
grant
|
||||
list
|
||||
rebind
|
||||
update
|
||||
use
|
||||
};
|
||||
|
||||
# settings app reads /proc/version
|
||||
allow system_app {
|
||||
proc_version
|
||||
|
|
|
@ -824,6 +824,26 @@ allow system_server keystore:keystore_key {
|
|||
user_changed
|
||||
};
|
||||
|
||||
allow system_server keystore:keystore2 {
|
||||
add_auth
|
||||
clear_ns
|
||||
get_state
|
||||
lock
|
||||
reset
|
||||
unlock
|
||||
};
|
||||
|
||||
allow system_server keystore:keystore2_key {
|
||||
delete
|
||||
use_dev_id
|
||||
grant
|
||||
get_info
|
||||
list
|
||||
rebind
|
||||
update
|
||||
use
|
||||
};
|
||||
|
||||
# Allow system server to search and write to the persistent factory reset
|
||||
# protection partition. This block device does not get wiped in a factory reset.
|
||||
allow system_server block_device:dir search;
|
||||
|
|
|
@ -295,6 +295,7 @@ control_logd({ appdomain -ephemeral_app })
|
|||
allow appdomain zygote:unix_dgram_socket write;
|
||||
|
||||
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
|
||||
|
||||
use_keystore({ appdomain -isolated_app -ephemeral_app })
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
|
|||
# Need to add auth tokens to KeyStore
|
||||
use_keystore(fingerprintd)
|
||||
allow fingerprintd keystore:keystore_key { add_auth };
|
||||
allow fingerprintd keystore:keystore2 { add_auth };
|
||||
|
||||
# For permissions checking
|
||||
binder_call(fingerprintd, system_server);
|
||||
|
|
|
@ -23,6 +23,7 @@ add_service(gatekeeperd, gatekeeper_service)
|
|||
# Need to add auth tokens to KeyStore
|
||||
use_keystore(gatekeeperd)
|
||||
allow gatekeeperd keystore:keystore_key { add_auth };
|
||||
allow gatekeeperd keystore:keystore2 { add_auth };
|
||||
|
||||
# For permissions checking
|
||||
allow gatekeeperd system_server:binder call;
|
||||
|
|
|
@ -47,6 +47,7 @@ userdebug_or_eng(`
|
|||
dontaudit su hwservicemanager:hwservice_manager list;
|
||||
dontaudit su vndservicemanager:service_manager list;
|
||||
dontaudit su keystore:keystore_key *;
|
||||
dontaudit su keystore:keystore2 *;
|
||||
dontaudit su domain:drmservice *;
|
||||
dontaudit su unlabeled:filesystem *;
|
||||
dontaudit su postinstall_file:filesystem *;
|
||||
|
|
Loading…
Reference in a new issue