Merge "sepolicy: Add new wifi keystore HAL" into oc-dev

29f273ce · TreeHugger Robot · Android (Google) Code Review · c3a9e7df · 9af7c95f · 29f273ce
Commit 29f273ce authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/public/attributes
+++ b/public/attributes
@@ -233,6 +233,9 @@ attribute hal_vr_server;
 attribute hal_wifi;
 attribute hal_wifi_client;
 attribute hal_wifi_server;
+attribute hal_wifi_keystore;
+attribute hal_wifi_keystore_client;
+attribute hal_wifi_keystore_server;
 attribute hal_wifi_supplicant;
 attribute hal_wifi_supplicant_client;
 attribute hal_wifi_supplicant_server;
--- a/public/hal_wifi_keystore.te
+++ b/public/hal_wifi_keystore.te
+# HwBinder IPC from client to server.
+binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server)
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -23,17 +23,6 @@ allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
 allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
 allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-# TODO(b/34131400): Use hwbinder to access keystore.
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant)
-# WPA (wifi) has a restricted set of permissions from the default.
-allow hal_wifi_supplicant keystore:keystore_key {
-    get
-    sign
-    verify
-};
 # Allow wpa_cli to work. wpa_cli creates a socket in
 # /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
 userdebug_or_eng(`

--- a/public/keystore.te
+++ b/public/keystore.te
@@ -10,6 +10,9 @@ binder_call(keystore, system_server)
 # talk to keymaster
 hal_client_domain(keystore, hal_keymaster)
+# Implement the wifi keystore hal.
+hal_server_domain(keystore, hal_wifi_keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,8 +8,8 @@ net_domain(hal_wifi_supplicant_default)
 # Create a socket for receiving info from wpa
 type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
+# Allow wpa_supplicant to talk to Wifi Keystore HAL.
-typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore)
 # TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
 # Remove coredata_in_vendor_violators attribute.
 # wpa supplicant or equivalent