Pull keychain-data policy out of system-data
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
diff --git a/system_app.te b/system_app.te
index 9a336f9..ea23c81 100644
--- a/system_app.te
+++ b/system_app.te
@@ -12,10 +12,16 @@
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:file create_file_perms;
+# Read /data/misc/keychain subdirectory.
+allow system_app keychain_data_file:dir r_dir_perms;
+allow system_app keychain_data_file:file r_file_perms;
+
# Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/keychain.
+# /data/system/cache and /data/misc/user.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
# Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };