From cec44a61ba0309728b053232fc03e13a16726225 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Fri, 4 Nov 2016 09:02:26 -0700
Subject: [PATCH] wpa.te: Add binder permission back

Adding back the binder permission to access keystore from
wpa_supplicant. This was removed by mistake in the previous patch
(commit#: 6caeac) to add hwbinder permissions.

Denials in logs:
11-03 14:37:54.831  9011  9011 I auditd  : type=1400 audit(0.0:1490):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:54.831  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:55.834  9011  9011 I auditd  : type=1400 audit(0.0:1491):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:56.834  9011  9011 I auditd  : type=1400 audit(0.0:1492):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.839  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:57.834  9011  9011 I auditd  : type=1400 audit(0.0:1493):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0

Bug: 32655747
Test: Compiles. Will send for integration testing.
Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8
---
 public/wpa.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/public/wpa.te b/public/wpa.te
index 863b6b9fb..83276c80c 100644
--- a/public/wpa.te
+++ b/public/wpa.te
@@ -21,6 +21,9 @@ allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
 
+# Keystore access via binder.
+binder_use(wpa)
+
 # HIDL interface exposed by WPA.
 hwbinder_use(wpa)
 binder_call(wpa, wificond)
-- 
GitLab