Merge "Adding policies for KeyStore MAC."
diff --git a/access_vectors b/access_vectors
index 7609d9d..f8c0110 100644
--- a/access_vectors
+++ b/access_vectors
@@ -893,3 +893,23 @@
{
add
}
+
+class keystore_key
+{
+ test
+ get
+ insert
+ delete
+ exist
+ saw
+ reset
+ password
+ lock
+ unlock
+ zero
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+}
diff --git a/app.te b/app.te
index 63e61e0..b34c522 100644
--- a/app.te
+++ b/app.te
@@ -174,6 +174,11 @@
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
+allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(appdomain)
+
###
### Neverallow rules
###
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 2533fbe..3190b6b 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -16,3 +16,8 @@
# Allow binderservicedomain to add services by default.
allow binderservicedomain service_manager_type:service_manager add;
auditallow binderservicedomain default_android_service:service_manager add;
+
+allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(binderservicedomain)
diff --git a/keystore.te b/keystore.te
index 3e627f8..afa701c 100644
--- a/keystore.te
+++ b/keystore.te
@@ -27,3 +27,6 @@
neverallow domain keystore:process ptrace;
allow keystore keystore_service:service_manager add;
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
diff --git a/racoon.te b/racoon.te
index 6148255..8b09cdf 100644
--- a/racoon.te
+++ b/racoon.te
@@ -8,7 +8,6 @@
net_domain(racoon)
binder_use(racoon)
-binder_call(racoon, keystore)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
@@ -22,3 +21,12 @@
allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+ get
+ sign
+ verify
+};
diff --git a/security_classes b/security_classes
index 9ff494f..fcee928 100644
--- a/security_classes
+++ b/security_classes
@@ -140,4 +140,7 @@
# Service manager
class service_manager # userspace
+# Keystore Key
+class keystore_key # userspace
+
# FLASK
diff --git a/system_app.te b/system_app.te
index eb5fa9f..324d74e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -42,4 +42,40 @@
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
+allow system_app keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ exist
+ saw
+ reset
+ password
+ lock
+ unlock
+ zero
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
+auditallow system_app keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ exist
+ reset
+ password
+ lock
+ unlock
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
control_logd(system_app)
diff --git a/system_server.te b/system_server.te
index 726ea8c..ae7ed57 100644
--- a/system_server.te
+++ b/system_server.te
@@ -359,6 +359,40 @@
allow system_server system_server_service:service_manager add;
+allow system_server keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ exist
+ saw
+ reset
+ password
+ lock
+ unlock
+ zero
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
+auditallow system_server keystore:keystore_key {
+ test
+ get
+ insert
+ delete
+ saw
+ lock
+ unlock
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+};
+
###
### Neverallow rules
###
diff --git a/te_macros b/te_macros
index c72760e..4199d6e 100644
--- a/te_macros
+++ b/te_macros
@@ -342,3 +342,15 @@
# to permit control commands
unix_socket_connect($1, logd, logd)
')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ binder_call($1, keystore)
+')
diff --git a/wpa.te b/wpa.te
index 761d345..7b1a875 100644
--- a/wpa.te
+++ b/wpa.te
@@ -17,13 +17,21 @@
unix_socket_send(wpa, system_wpa, system_server)
binder_use(wpa)
-binder_call(wpa, keystore)
# Create a socket for receiving info from wpa
type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;
+use_keystore(wpa)
+
+# WPA (wifi) has a restricted set of permissions from the default.
+allow wpa keystore:keystore_key {
+ get
+ sign
+ verify
+};
+
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with.
userdebug_or_eng(`