Make Keystore equivalent policy for Keystore2

Bug: 158500146
Bug: 159466840
Test: keystore2_test tests part of this policy
Change-Id: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc
Merged-In: Id3dcb2ba4423d93170b9ba7ecf8aed0580ce83bc

private/binderservicedomain.te

@@ -18,5 +18,7 @@ allow binderservicedomain appdomain:fifo_file write;
 allow binderservicedomain permission_service:service_manager find;
 
 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
 
 use_keystore(binderservicedomain)

private/domain.te

@@ -120,6 +120,9 @@ neverallow {
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
 
 neverallow {
   domain

private/gmscore_app.te

@@ -33,6 +33,7 @@ binder_call(gmscore_app, statsd)
 
 # Allow GMS core to generate unique hardware IDs
 allow gmscore_app keystore:keystore_key gen_unique_id;
+allow gmscore_app keystore:keystore2_key gen_unique_id;
 
 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
 allow gmscore_app selinuxfs:file r_file_perms;

private/system_app.te

@@ -136,6 +136,16 @@ allow system_app keystore:keystore_key {
     user_changed
 };
 
+allow system_app keystore:keystore2_key {
+    delete
+    get_info
+    grant
+    list
+    rebind
+    update
+    use
+};
+
 # settings app reads /proc/version
 allow system_app {
   proc_version

private/system_server.te

@@ -824,6 +824,26 @@ allow system_server keystore:keystore_key {
 	user_changed
 };
 
+allow system_server keystore:keystore2 {
+	add_auth
+	clear_ns
+	get_state
+	lock
+	reset
+	unlock
+};
+
+allow system_server keystore:keystore2_key {
+	delete
+	use_dev_id
+	grant
+	get_info
+	list
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;

public/app.te

@@ -295,6 +295,7 @@ control_logd({ appdomain -ephemeral_app })
 allow appdomain zygote:unix_dgram_socket write;
 
 allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
 
 use_keystore({ appdomain -isolated_app -ephemeral_app })
 

public/fingerprintd.te

@@ -18,6 +18,7 @@ allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
 # Need to add auth tokens to KeyStore
 use_keystore(fingerprintd)
 allow fingerprintd keystore:keystore_key { add_auth };
+allow fingerprintd keystore:keystore2 { add_auth };
 
 # For permissions checking
 binder_call(fingerprintd, system_server);

public/gatekeeperd.te

@@ -23,6 +23,7 @@ add_service(gatekeeperd, gatekeeper_service)
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };
+allow gatekeeperd keystore:keystore2 { add_auth };
 
 # For permissions checking
 allow gatekeeperd system_server:binder call;

public/su.te

@@ -47,6 +47,7 @@ userdebug_or_eng(`
   dontaudit su hwservicemanager:hwservice_manager list;
   dontaudit su vndservicemanager:service_manager list;
   dontaudit su keystore:keystore_key *;
+  dontaudit su keystore:keystore2 *;
   dontaudit su domain:drmservice *;
   dontaudit su unlabeled:filesystem *;
   dontaudit su postinstall_file:filesystem *;