Add keystore2 namespace for LocksettingsService.

Bug: 184664830
Test: N/A
Change-Id: Ie04186eddaae689b968690b2bb0d3692c81ac645

private/keystore2_key_contexts

@@ -16,10 +16,13 @@
 # odsign_key is a keystore2_key namespace for the on-device signing daemon.
 101            u:object_r:odsign_key:s0
 
-# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
 # namespace in keystore.
 102            u:object_r:wifi_key:s0
 
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103            u:object_r:locksettings_key:s0
+
 # resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
 120            u:object_r:resume_on_reboot_key:s0
 

private/keystore_keys.te

@@ -14,6 +14,9 @@ type vold_key, keystore2_key_type;
 # A keystore2 namespace for the on-device signing daemon.
 type odsign_key, keystore2_key_type;
 
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
 # A keystore2 namespace for resume on reboot.
 type resume_on_reboot_key, keystore2_key_type;
 

private/system_server.te

@@ -905,6 +905,16 @@ allow system_server resume_on_reboot_key:keystore2_key {
 	use
 };
 
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;