Merge "Revert^2 "Allow vold to deleteAllKeys in Keystore"" into sc-dev am: f87e5bafb5

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15547742 Change-Id: Ic94a52122a3b4f83d0fda09baaafdbbc1da44991
2021-08-13 02:46:44 +00:00 · 2021-08-13 02:46:44 +00:00 · be75810100
commit be75810100
parent 978a4f445e f87e5bafb5
6 changed files with 8 additions and 2 deletions
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@ -730,6 +730,7 @@ class keystore2
 	report_off_body
 	reset
 	unlock
+	delete_all_keys
 }

 class keystore2_key
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@ -499,6 +499,7 @@ ro.crypto.allow_encrypt_override                u:object_r:vold_config_prop:s0 e
 ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
 ro.crypto.fde_algorithm                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.fde_sector_size                       u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.scrypt_params                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.set_dun                               u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.volume.contents_mode                  u:object_r:vold_config_prop:s0 exact string
--- a/prebuilts/api/31.0/private/vold.te
+++ b/prebuilts/api/31.0/private/vold.te
@ -53,8 +53,9 @@ allow vold keystore:binder call;
 allow vold keystore_service:service_manager find;
 allow vold keystore_maintenance_service:service_manager find;

-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
 allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;

 neverallow {
    domain
--- a/private/access_vectors
+++ b/private/access_vectors
@ -730,6 +730,7 @@ class keystore2
 	report_off_body
 	reset
 	unlock
+	delete_all_keys
 }

 class keystore2_key
--- a/private/property_contexts
+++ b/private/property_contexts
@ -499,6 +499,7 @@ ro.crypto.allow_encrypt_override                u:object_r:vold_config_prop:s0 e
 ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
 ro.crypto.fde_algorithm                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.fde_sector_size                       u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.scrypt_params                         u:object_r:vold_config_prop:s0 exact string
 ro.crypto.set_dun                               u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.volume.contents_mode                  u:object_r:vold_config_prop:s0 exact string
--- a/private/vold.te
+++ b/private/vold.te
@ -53,8 +53,9 @@ allow vold keystore:binder call;
 allow vold keystore_service:service_manager find;
 allow vold keystore_maintenance_service:service_manager find;

-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
 allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;

 neverallow {
    domain