From db88d1555fe623c4050444677c883a1f027ff74d Mon Sep 17 00:00:00 2001 From: Hasini Gunasinghe Date: Thu, 3 Dec 2020 21:40:53 +0000 Subject: [PATCH] Add get_auth_token permission to allow credstore to call keystore2. This CL adds a new keystore2 permission "get_auth_token"and grants this permission to credstore which needs to call keystore2 to obtain authtokens. Bug: 159475191 Test: CtsVerifier Change-Id: I1c02ea73afa6fe0b12a2d74e51fb4a8a94fd4baf --- private/access_vectors | 1 + public/credstore.te | 2 ++ 2 files changed, 3 insertions(+) diff --git a/private/access_vectors b/private/access_vectors index a02a2a80d..1ab4f73ad 100644 --- a/private/access_vectors +++ b/private/access_vectors @@ -718,6 +718,7 @@ class keystore2 change_user clear_ns clear_uid + get_auth_token get_state list lock diff --git a/public/credstore.te b/public/credstore.te index a2376d2b5..97d942d91 100644 --- a/public/credstore.te +++ b/public/credstore.te @@ -12,6 +12,8 @@ allow credstore credstore_data_file:file create_file_perms; add_service(credstore, credstore_service) allow credstore sec_key_att_app_id_provider_service:service_manager find; allow credstore dropbox_service:service_manager find; +allow credstore authorization_service:service_manager find; +allow credstore keystore:keystore2 get_auth_token; r_dir_file(credstore, cgroup) r_dir_file(credstore, cgroup_v2)