commit df31f20dfe7f76cabb73eec3f3f62ca07e048bd8
author Janis Danisevskis <jdanis@google.com> Mon Feb 01 23:04:45 2021 -0800
committer Janis Danisevskis <jdanis@google.com> Tue Feb 09 08:28:45 2021 -0800
tree b1ec1e6c49e71f8a7b2463784a6bfa3fc0ee8d06
parent c86c173de7e4ad09ccb2dc8d19d9cfb4a287fcbe

Keystore 2.0: Add wifi namespace to sepolicy.

Add the wifi namespace to sepolicy and allow system_app (Settings) and
wifi_supplicant to manage/use the keys in that namespace

Test: N/A
Bug: 171305388
Change-Id: Ib6af8656b18288a1116c241c2e76d9aea421a889

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e2e9633..397b308 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -99,4 +99,5 @@
     vibrator_manager_service
     vpn_management_service
     watchdog_metadata_file
+    wifi_key
     zygote_config_prop))

private/keystore2_key_contexts

diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index b926265..9612b90 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -15,3 +15,8 @@
 
 # odsign_key is a keystore2_key namespace for the on-device signing daemon.
 101            u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102            u:object_r:wifi_key:s0
+

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 4284835..f9d3c1c 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -142,6 +142,16 @@
     use
 };
 
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+    delete
+    get_info
+    grant
+    rebind
+    update
+    use
+};
+
 # settings app reads /proc/version
 allow system_app {
   proc_version

public/hal_wifi_supplicant.te

diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 79a0667..5fbe9f2 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,6 +19,14 @@
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
 
+use_keystore(hal_wifi_supplicant)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+    get_info
+    use
+};
+
 ###
 ### neverallow rules
 ###

public/keystore_keys.te

diff --git a/public/keystore_keys.te b/public/keystore_keys.te
new file mode 100644
index 0000000..3c35984
--- /dev/null
+++ b/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;