Keystore 2.0: Allow system_server to manage wifi keys This is needed because Wifi module needs to import and generate keys and it runs in system_server. Also, remove "grant" from system_app and system_server since there is no need to grant any keys. Test: Create an enterprise wifi config with EAP-TLS Bug: 171305388 Change-Id: I50c25f2fe52e968c8cdf1ea20d110f9f052699db

commit: 20bc79bb3f07936b5bad650b95ba2567ec929a45 [log] [tgz]
author: Pavel Grafov <pgrafov@google.com> Tue Feb 09 20:31:01 2021 +0000
committer: Pavel Grafov <pgrafov@google.com> Tue Feb 09 20:36:51 2021 +0000
tree: f6d6ed0c1638b1b850857dfe5df19d4f5a3bb0aa
parent: 6691c9c411141894ac770d56ebc3a5ae49703be1 [diff]
diff --git a/private/system_app.te b/private/system_app.te
index f9d3c1c..0aa46e3 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -146,7 +146,6 @@
 allow system_app wifi_key:keystore2_key {
     delete
     get_info
-    grant
     rebind
     update
     use

diff --git a/private/system_server.te b/private/system_server.te
index 115aff3..06673c3 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -871,6 +871,15 @@
 	use
 };
 
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
commit	20bc79bb3f07936b5bad650b95ba2567ec929a45	[log] [tgz]
author	Pavel Grafov <pgrafov@google.com>	Tue Feb 09 20:31:01 2021 +0000
committer	Pavel Grafov <pgrafov@google.com>	Tue Feb 09 20:36:51 2021 +0000
tree	f6d6ed0c1638b1b850857dfe5df19d4f5a3bb0aa
parent	6691c9c411141894ac770d56ebc3a5ae49703be1 [diff]