Wifi Keystore HAL is not a HAL

Wifi Keystore HAL is a HwBinder service (currently offered by keystore daemon) which is used by Wifi Supplicant HAL. This commit thus switches the SELinux policy of Wifi Keystore HAL to the approach used for non-HAL HwBinder services. The basic idea is simimilar to how we express Binder services in the policy, with two tweaks: (1) we don't have 'hwservicemanager find' and thus there's no add_hwservice macro, and (2) we need loosen the coupling between core and vendor components. For example, it should be possible to move a HwBinder service offered by a core component into another core component, without having to update the SELinux policy of the vendor image. We thus annotate all components offering HwBinder service x across the core-vendor boundary with x_server, which enables the policy of clients to contain rules of the form: binder_call(mydomain, x_server), and, if the service uses IPC callbacks, also binder_call(x_server, mydomain). Test: mmm system/sepolicy Test: sesearch indicates to changes to binder { call transfer} between keystore and hal_wifi_supplicant_default domains Bug: 36896667 Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892

Wifi Keystore HAL is not a HAL
9a14704f · Alex Klyubin · ea53e29f · 9a14704f · ea53e29f · 9a14704f
Commit 9a14704f authored 7 years ago by Alex Klyubin
--- a/public/attributes
+++ b/public/attributes
@@ -239,3 +239,12 @@ attribute hal_wifi_keystore_server;
 attribute hal_wifi_supplicant;
 attribute hal_wifi_supplicant_client;
 attribute hal_wifi_supplicant_server;
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server  to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute wifi_keystore_service_server;
--- a/public/hal_wifi_keystore.te
+++ b/public/hal_wifi_keystore.te
-# HwBinder IPC from client to server.
-binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server)
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -10,8 +10,9 @@ binder_call(keystore, system_server)
 # talk to keymaster
 hal_client_domain(keystore, hal_keymaster)

-# Implement the wifi keystore hal.
-hal_server_domain(keystore, hal_wifi_keystore)
+# Offer the Wifi Keystore HwBinder service
+hwbinder_use(keystore)
+typeattribute keystore wifi_keystore_service_server;

 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;

--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,8 +8,10 @@ net_domain(hal_wifi_supplicant_default)
 # Create a socket for receiving info from wpa
 type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";

-# Allow wpa_supplicant to talk to Wifi Keystore HAL.
-hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore)
+# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
+hwbinder_use(hal_wifi_supplicant_default)
+binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
+
 # TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
 # Remove coredata_in_vendor_violators attribute.
 # wpa supplicant or equivalent