Stop granting permissions on keystore_key class

When keystore was replaced with keystore2 in Android 12, the SELinux class of keystore keys was changed from keystore_key to keystore2_key. However, the rules that granted access to keystore_key were never removed. This CL removes them, as they are no longer needed. Don't actually remove the class and its permissions from private/security_classes and private/access_vectors. That would break the build because they're referenced by rules in prebuilts/. Bug: 171305684 Test: atest CtsKeystoreTestCases Flag: exempt, removing obsolete code Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3
2023-10-16 21:44:26 +00:00 · 2023-10-16 21:44:26 +00:00 · cc5cb431ee
commit cc5cb431ee
parent 51cc740ca8
13 changed files with 4 additions and 62 deletions
--- a/private/app.te
+++ b/private/app.te
@ -176,7 +176,6 @@ allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccesso
 control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })

 # application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };

 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@ -18,7 +18,6 @@ allow binderservicedomain appdomain:fifo_file write;
 # allow all services to run permission checks
 allow binderservicedomain permission_service:service_manager find;

-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 allow binderservicedomain keystore:keystore2 { get_state };
 allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };

--- a/private/domain.te
+++ b/private/domain.te
@ -214,7 +214,6 @@ neverallow {
 } self:global_capability_class_set sys_ptrace;

 # Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
 neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
 neverallow { domain -system_server } *:keystore2_key use_dev_id;
 neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@ -36,7 +36,6 @@ allow gmscore_app perfetto:fd use;
 allow gmscore_app perfetto_traces_data_file:file { read getattr };

 # Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
 allow gmscore_app keystore:keystore2_key gen_unique_id;

 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
--- a/private/keystore.te
+++ b/private/keystore.te
@ -26,7 +26,7 @@ get_prop(keystore, device_config_remote_key_provisioning_native_prop)
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)

-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
 allow keystore keystore2_key_contexts_file:file r_file_perms;

 # Allow keystore to listen to changing boot levels
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@ -4,10 +4,10 @@
 # <namespace> <label>
 #
 # <namespace> must be an integer in the interval [0 ...  2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
 0              u:object_r:su_key:s0

-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
 1              u:object_r:shell_key:s0

 # vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
--- a/private/system_app.te
+++ b/private/system_app.te
@ -120,26 +120,6 @@ dontaudit system_app debugfs_tracing:file rw_file_perms;
 # Ignore access to zram when Debug.getMemInfo is called.
 dontaudit system_app sysfs_zram:dir search;

-allow system_app keystore:keystore_key {
-    get_state
-    get
-    insert
-    delete
-    exist
-    list
-    reset
-    password
-    lock
-    unlock
-    is_empty
-    sign
-    verify
-    grant
-    duplicate
-    clear_uid
-    user_changed
-};
-
 allow system_app keystore:keystore2_key {
    delete
    get_info
--- a/private/system_server.te
+++ b/private/system_server.te
@ -973,27 +973,6 @@ userdebug_or_eng(`

 add_service(system_server, batteryproperties_service)

-allow system_server keystore:keystore_key {
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	add_auth
-	user_changed
-};
-
 allow system_server keystore:keystore2 {
 	add_auth
 	change_password
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@ -17,7 +17,6 @@ allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;

 # Need to add auth tokens to KeyStore
 use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
 allow fingerprintd keystore:keystore2 { add_auth };

 # For permissions checking
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@ -22,7 +22,6 @@ add_service(gatekeeperd, gatekeeper_service)

 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
 allow gatekeeperd keystore:keystore2 { add_auth };
 allow gatekeeperd authorization_service:service_manager find;

--- a/public/racoon.te
+++ b/public/racoon.te
@ -25,10 +25,3 @@ allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;

 use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
-	get
-	sign
-	verify
-};
--- a/public/su.te
+++ b/public/su.te
@ -48,7 +48,6 @@ userdebug_or_eng(`
  dontaudit su servicemanager:service_manager list;
  dontaudit su hwservicemanager:hwservice_manager list;
  dontaudit su vndservicemanager:service_manager list;
-  dontaudit su keystore:keystore_key *;
  dontaudit su keystore:keystore2 *;
  dontaudit su domain:drmservice *;
  dontaudit su unlabeled:filesystem *;
--- a/public/wificond.te
+++ b/public/wificond.te
@ -33,11 +33,8 @@ hwbinder_use(wificond)
 typeattribute wificond wifi_keystore_service_server;
 add_hwservice(wificond, system_wifi_keystore_hwservice)

-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
 # Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
 allow wificond wifi_key:keystore2_key {
    get_info
    use