d7fe10be98
The get_state permission of the "keystore2" class only guarded the Binder API IKeystoreMaintenance#getState() served by keystore2. That API has been removed because it was unused (https://r.android.com/2768246). Therefore, stop granting the get_state permission. Don't actually remove the permission from private/access_vectors. That would break the build because it's referenced by rules in prebuilts/. Bug: 296464083 Test: atest CtsKeystoreTestCases Change-Id: Ie6c7b17a8652f86a75d48c134a6e71a634d63772
25 lines
1.2 KiB
Text
25 lines
1.2 KiB
Text
# Rules common to some specific binder service domains.
|
|
# Deprecated. Consider granting the exact permissions required by your service.
|
|
|
|
# Allow dumpstate and incidentd to collect information from binder services
|
|
allow binderservicedomain { dumpstate incidentd }:fd use;
|
|
allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
|
|
allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
|
|
allow binderservicedomain shell_data_file:file { getattr write };
|
|
|
|
# Allow dumpsys to work from adb shell or the serial console
|
|
allow binderservicedomain devpts:chr_file rw_file_perms;
|
|
allow binderservicedomain console_device:chr_file rw_file_perms;
|
|
|
|
# Receive and write to a pipe received over Binder from an app.
|
|
allow binderservicedomain appdomain:fd use;
|
|
allow binderservicedomain appdomain:fifo_file write;
|
|
|
|
# allow all services to run permission checks
|
|
allow binderservicedomain permission_service:service_manager find;
|
|
|
|
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
|
|
|
|
use_keystore(binderservicedomain)
|
|
# binderservicedomain is using apex_info via libvintf
|
|
use_apex_info(binderservicedomain)
|