Add keystore_key:attest_unique_id to priv_app.

Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578

Add keystore_key:attest_unique_id to priv_app.
a0c7f012 · Shawn Willden · 93b97da8 · a0c7f012 · a0c7f012 · a0c7f012
Commit a0c7f012 authored 7 years ago by Shawn Willden
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -702,6 +702,7 @@ class keystore_key
 	clear_uid
 	add_auth
 	user_changed
+	gen_unique_id
 }

 class drmservice {

--- a/private/domain.te
+++ b/private/domain.te
@@ -13,3 +13,6 @@ neverallow {
  -system_server
  userdebug_or_eng(`-perfprofd')
 } self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -114,6 +114,9 @@ allow priv_app functionfs:file rw_file_perms;
 # TODO: narrow this to just MediaProvider
 allow priv_app mnt_media_rw_file:dir search;

+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
 read_runtime_log_tags(priv_app)

 ###