From 9af7c95f86bf46e2a337d7d851ebb502a192e6a1 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Tue, 28 Mar 2017 15:45:42 -0700
Subject: [PATCH] sepolicy: Add new wifi keystore HAL
Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.
Denials addressed:
03-29 00:04:52.075 734 734 E SELinux : avc: denied { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key
Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
---
public/attributes | 3 +++
public/hal_wifi_keystore.te | 2 ++
public/hal_wifi_supplicant.te | 11 -----------
public/keystore.te | 3 +++
vendor/hal_wifi_supplicant_default.te | 4 ++--
5 files changed, 10 insertions(+), 13 deletions(-)
create mode 100644 public/hal_wifi_keystore.te
diff --git a/public/attributes b/public/attributes
index d9d123fd0..403d2c8a5 100644
--- a/public/attributes
+++ b/public/attributes
@@ -223,6 +223,9 @@ attribute hal_vr_server;
attribute hal_wifi;
attribute hal_wifi_client;
attribute hal_wifi_server;
+attribute hal_wifi_keystore;
+attribute hal_wifi_keystore_client;
+attribute hal_wifi_keystore_server;
attribute hal_wifi_supplicant;
attribute hal_wifi_supplicant_client;
attribute hal_wifi_supplicant_server;
diff --git a/public/hal_wifi_keystore.te b/public/hal_wifi_keystore.te
new file mode 100644
index 000000000..15368ae3e
--- /dev/null
+++ b/public/hal_wifi_keystore.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server.
+binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index ed10f8d1c..49ce4fa6e 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -23,17 +23,6 @@ allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-# TODO(b/34131400): Use hwbinder to access keystore.
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow hal_wifi_supplicant keystore:keystore_key {
- get
- sign
- verify
-};
-
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
userdebug_or_eng(`
diff --git a/public/keystore.te b/public/keystore.te
index 55cafc541..456c74d50 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -10,6 +10,9 @@ binder_call(keystore, system_server)
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# Implement the wifi keystore hal.
+hal_server_domain(keystore, hal_wifi_keystore)
+
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 1ee95bb3d..f0a6ffc38 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,8 +8,8 @@ net_domain(hal_wifi_supplicant_default)
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
-typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# Allow wpa_supplicant to talk to Wifi Keystore HAL.
+hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore)
# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
# Remove coredata_in_vendor_violators attribute.
# wpa supplicant or equivalent
--
GitLab