sepolicy(wifi): Allow keystore-wificond communication
Denial log:
1. 10-30 11:02:50.279 wifi 1119 1119 W HwBinder:1119_1:
type=1400 audit(0.0:113): avc: denied { transfer } for
scontext=u:r:wificond:s0 tcontext=u:r:keystore:s0
tclass=binder permissive=0
2. 01-15 16:24:04.214 W/keystore( 1007): type=1400
audit(0.0:109): avc: denied { call } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0
3. 01-16 12:11:19.704 W/keystore( 1021): type=1400
audit(0.0:163): avc: denied { transfer } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0
Bug: 143638513
Bug: 145310496
Test: Installed CA and wifi certificates and connects
to enterprise network.
No selinux denial seen from wificond and keystore.
Change-Id: I9727add13844b1ff1875e493b777e3a294e00ffa
diff --git a/public/keystore.te b/public/keystore.te
index e869f32..27c4624 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -6,6 +6,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
+binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index cfca60e..af29511 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, keystore)
add_service(wificond, wificond_service)
@@ -38,5 +39,4 @@
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
-allow wificond keystore:binder call;
allow wificond keystore:keystore_key get;