From a0c7f01299c41157d123da0792fbf9ce2a26f9d3 Mon Sep 17 00:00:00 2001
From: Shawn Willden <swillden@google.com>
Date: Tue, 11 Apr 2017 09:41:25 -0600
Subject: [PATCH] Add keystore_key:attest_unique_id to priv_app.

Only privileged apps are supposed to be able to get unique IDs from
attestation.

Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
---
 private/access_vectors | 1 +
 private/domain.te      | 3 +++
 private/priv_app.te    | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/private/access_vectors b/private/access_vectors
index dcd86c28e..6b08d9efc 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -702,6 +702,7 @@ class keystore_key
 	clear_uid
 	add_auth
 	user_changed
+	gen_unique_id
 }
 
 class drmservice {
diff --git a/private/domain.te b/private/domain.te
index 6f8814e40..d37a0bd26 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -13,3 +13,6 @@ neverallow {
   -system_server
   userdebug_or_eng(`-perfprofd')
 } self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/priv_app.te b/private/priv_app.te
index 38ce673a1..a703ba8d4 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -114,6 +114,9 @@ allow priv_app functionfs:file rw_file_perms;
 # TODO: narrow this to just MediaProvider
 allow priv_app mnt_media_rw_file:dir search;
 
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
 read_runtime_log_tags(priv_app)
 
 ###
-- 
GitLab