Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
diff --git a/access_vectors b/access_vectors
index 7609d9d..f8c0110 100644
--- a/access_vectors
+++ b/access_vectors
@@ -893,3 +893,23 @@
{
add
}
+
+class keystore_key
+{
+ test
+ get
+ insert
+ delete
+ exist
+ saw
+ reset
+ password
+ lock
+ unlock
+ zero
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+}
diff --git a/app.te b/app.te
index 63e61e0..b34c522 100644
--- a/app.te
+++ b/app.te
@@ -174,6 +174,11 @@
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
+allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(appdomain)
+
###
### Neverallow rules
###
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 2533fbe..3190b6b 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -16,3 +16,8 @@
# Allow binderservicedomain to add services by default.
allow binderservicedomain service_manager_type:service_manager add;
auditallow binderservicedomain default_android_service:service_manager add;
+
+allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(binderservicedomain)
diff --git a/keystore.te b/keystore.te
index 3e627f8..afa701c 100644
--- a/keystore.te
+++ b/keystore.te
@@ -27,3 +27,6 @@
neverallow domain keystore:process ptrace;
allow keystore keystore_service:service_manager add;
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
diff --git a/racoon.te b/racoon.te
index 6148255..8b09cdf 100644
--- a/racoon.te
+++ b/racoon.te
@@ -8,7 +8,6 @@
net_domain(racoon)
binder_use(racoon)
-binder_call(racoon, keystore)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
@@ -22,3 +21,12 @@
allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+ get
+ sign
+ verify
+};
diff --git a/security_classes b/security_classes
index 9ff494f..fcee928 100644
--- a/security_classes
+++ b/security_classes
@@ -140,4 +140,7 @@
# Service manager
class service_manager # userspace
+# Keystore Key
+class keystore_key # userspace
+
# FLASK
diff --git a/system_app.te b/system_app.te
index eb5fa9f..324d74e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -42,4 +42,40 @@
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
+allow system_app keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ exist
+ saw
+ reset
+ password
+ lock
+ unlock
+ zero
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
+auditallow system_app keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ exist
+ reset
+ password
+ lock
+ unlock
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
control_logd(system_app)
diff --git a/system_server.te b/system_server.te
index 726ea8c..ae7ed57 100644
--- a/system_server.te
+++ b/system_server.te
@@ -359,6 +359,40 @@
allow system_server system_server_service:service_manager add;
+allow system_server keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ exist
+ saw
+ reset
+ password
+ lock
+ unlock
+ zero
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
+auditallow system_server keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ saw
+ lock
+ unlock
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
###
### Neverallow rules
###
diff --git a/te_macros b/te_macros
index c72760e..4199d6e 100644
--- a/te_macros
+++ b/te_macros
@@ -342,3 +342,15 @@
# to permit control commands
unix_socket_connect($1, logd, logd)
')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ binder_call($1, keystore)
+')
diff --git a/wpa.te b/wpa.te
index 761d345..7b1a875 100644
--- a/wpa.te
+++ b/wpa.te
@@ -17,13 +17,21 @@
unix_socket_send(wpa, system_wpa, system_server)
binder_use(wpa)
-binder_call(wpa, keystore)
# Create a socket for receiving info from wpa
type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;
+use_keystore(wpa)
+
+# WPA (wifi) has a restricted set of permissions from the default.
+allow wpa keystore:keystore_key {
+ get
+ sign
+ verify
+};
+
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with.
userdebug_or_eng(`