Pull keychain-data policy out of system-data

Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547

1 files changed, 6 insertions, 0 deletions

diff --git a/installd.te b/installd.te
index 6257ede..6b1b2b8 100644
--- a/installd.te
+++ b/installd.te
@@ -37,6 +37,12 @@ allow installd media_rw_data_file:file { getattr unlink };
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;
 
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 allow installd install_data_file:file create_file_perms;