From 6a2451b580487a07a7e9919efa3ea5289f3ed696 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 2 Mar 2015 10:59:05 -0800
Subject: [PATCH] Allow platform_app access to keystore.

Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
---
 bluetooth.te     | 1 -
 system_app.te    | 1 -
 te_macros        | 1 +
 untrusted_app.te | 1 -
 4 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index 35a4774cb..4d9b4abf6 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -50,7 +50,6 @@ allow bluetooth pan_result_prop:property_service set;
 allow bluetooth ctl_dhcp_pan_prop:property_service set;
 
 allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth keystore_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth surfaceflinger_service:service_manager find;
diff --git a/system_app.te b/system_app.te
index 2ea621c48..ea936aa1d 100644
--- a/system_app.te
+++ b/system_app.te
@@ -48,7 +48,6 @@ allow system_app anr_data_file:file create_file_perms;
 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;
 
-allow system_app keystore_service:service_manager find;
 allow system_app mediaserver_service:service_manager find;
 allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
diff --git a/te_macros b/te_macros
index de3f9f5aa..35dfb4d01 100644
--- a/te_macros
+++ b/te_macros
@@ -336,6 +336,7 @@ define(`use_keystore', `
   allow keystore $1:dir search;
   allow keystore $1:file { read open };
   allow keystore $1:process getattr;
+  allow $1 keystore_service:service_manager find;
   binder_call($1, keystore)
 ')
 
diff --git a/untrusted_app.te b/untrusted_app.te
index ae6571994..bb93526a5 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,7 +64,6 @@ allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;
 
 allow untrusted_app drmserver_service:service_manager find;
-allow untrusted_app keystore_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
-- 
GitLab