Merge "Adding policies for KeyStore MAC."

access_vectors

@@ -893,3 +893,23 @@ class service_manager
 {
 	add
 }
+
+class keystore_key
+{
+	test
+	get
+	insert
+	delete
+	exist
+	saw
+	reset
+	password
+	lock
+	unlock
+	zero
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+}

app.te

@@ -174,6 +174,11 @@ read_logd(appdomain)
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
+allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(appdomain)
+
 ###
 ### Neverallow rules
 ###

binderservicedomain.te

@@ -16,3 +16,8 @@ allow binderservicedomain appdomain:fifo_file write;
 # Allow binderservicedomain to add services by default.
 allow binderservicedomain service_manager_type:service_manager add;
 auditallow binderservicedomain default_android_service:service_manager add;
+
+allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(binderservicedomain)

keystore.te

@@ -27,3 +27,6 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notde
 neverallow domain keystore:process ptrace;
 
 allow keystore keystore_service:service_manager add;
+
+# Check SELinux permissions.
+selinux_check_access(keystore)

racoon.te

@@ -8,7 +8,6 @@ typeattribute racoon mlstrustedsubject;
 net_domain(racoon)
 
 binder_use(racoon)
-binder_call(racoon, keystore)
 
 allow racoon tun_device:chr_file r_file_perms;
 allow racoon cgroup:dir { add_name create };
@@ -22,3 +21,12 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
 allow racoon system_file:file rx_file_perms;
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+	get
+	sign
+	verify
+};

security_classes

@@ -140,4 +140,7 @@ class property_service          # userspace
 # Service manager
 class service_manager           # userspace
 
+# Keystore Key
+class keystore_key              # userspace
+
 # FLASK

system_app.te

@@ -42,4 +42,40 @@ allow system_app logd_prop:property_service set;
 allow system_app anr_data_file:dir ra_dir_perms;
 allow system_app anr_data_file:file create_file_perms;
 
+allow system_app keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	exist
+	saw
+	reset
+	password
+	lock
+	unlock
+	zero
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
+auditallow system_app keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	exist
+	reset
+	password
+	lock
+	unlock
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
 control_logd(system_app)

system_server.te

@@ -359,6 +359,40 @@ allow system_server pstorefs:file r_file_perms;
 
 allow system_server system_server_service:service_manager add;
 
+allow system_server keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	exist
+	saw
+	reset
+	password
+	lock
+	unlock
+	zero
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
+auditallow system_server keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	saw
+	lock
+	unlock
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
 ###
 ### Neverallow rules
 ###

te_macros

@@ -342,3 +342,15 @@ define(`control_logd', `
 # to permit control commands
 unix_socket_connect($1, logd, logd)
 ')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+  allow keystore $1:dir search;
+  allow keystore $1:file { read open };
+  allow keystore $1:process getattr;
+  binder_call($1, keystore)
+')

wpa.te

@@ -17,13 +17,21 @@ allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
 
 binder_use(wpa)
-binder_call(wpa, keystore)
 
 # Create a socket for receiving info from wpa
 type_transition wpa wifi_data_file:dir wpa_socket "sockets";
 allow wpa wpa_socket:dir create_dir_perms;
 allow wpa wpa_socket:sock_file create_file_perms;
 
+use_keystore(wpa)
+
+# WPA (wifi) has a restricted set of permissions from the default.
+allow wpa keystore:keystore_key {
+	get
+	sign
+	verify
+};
+
 # Allow wpa_cli to work. wpa_cli creates a socket in
 # /data/misc/wifi/sockets which wpa supplicant communicates with.
 userdebug_or_eng(`