From 1196d2a5763c9a99be99ba81a4a29d938a83cc06 Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Tue, 17 Jun 2014 14:58:52 -0700
Subject: [PATCH] Adding policies for KeyStore MAC.

Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
---
 access_vectors         | 20 ++++++++++++++++++++
 app.te                 |  5 +++++
 binderservicedomain.te |  5 +++++
 keystore.te            |  3 +++
 racoon.te              | 10 +++++++++-
 security_classes       |  3 +++
 system_app.te          | 36 ++++++++++++++++++++++++++++++++++++
 system_server.te       | 34 ++++++++++++++++++++++++++++++++++
 te_macros              | 12 ++++++++++++
 wpa.te                 | 10 +++++++++-
 10 files changed, 136 insertions(+), 2 deletions(-)

diff --git a/access_vectors b/access_vectors
index 7609d9dc0..f8c0110f5 100644
--- a/access_vectors
+++ b/access_vectors
@@ -893,3 +893,23 @@ class service_manager
 {
 	add
 }
+
+class keystore_key
+{
+	test
+	get
+	insert
+	delete
+	exist
+	saw
+	reset
+	password
+	lock
+	unlock
+	zero
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+}
diff --git a/app.te b/app.te
index 63e61e0ff..b34c52292 100644
--- a/app.te
+++ b/app.te
@@ -174,6 +174,11 @@ read_logd(appdomain)
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
+allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(appdomain)
+
 ###
 ### Neverallow rules
 ###
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 2533fbef0..3190b6b8a 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -16,3 +16,8 @@ allow binderservicedomain appdomain:fifo_file write;
 # Allow binderservicedomain to add services by default.
 allow binderservicedomain service_manager_type:service_manager add;
 auditallow binderservicedomain default_android_service:service_manager add;
+
+allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+auditallow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore(binderservicedomain)
diff --git a/keystore.te b/keystore.te
index 3e627f827..afa701c7e 100644
--- a/keystore.te
+++ b/keystore.te
@@ -27,3 +27,6 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notde
 neverallow domain keystore:process ptrace;
 
 allow keystore keystore_service:service_manager add;
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
diff --git a/racoon.te b/racoon.te
index 614825540..8b09cdfe4 100644
--- a/racoon.te
+++ b/racoon.te
@@ -8,7 +8,6 @@ typeattribute racoon mlstrustedsubject;
 net_domain(racoon)
 
 binder_use(racoon)
-binder_call(racoon, keystore)
 
 allow racoon tun_device:chr_file r_file_perms;
 allow racoon cgroup:dir { add_name create };
@@ -22,3 +21,12 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
 allow racoon system_file:file rx_file_perms;
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+	get
+	sign
+	verify
+};
diff --git a/security_classes b/security_classes
index 9ff494fdb..fcee928e7 100644
--- a/security_classes
+++ b/security_classes
@@ -140,4 +140,7 @@ class property_service          # userspace
 # Service manager
 class service_manager           # userspace
 
+# Keystore Key
+class keystore_key              # userspace
+
 # FLASK
diff --git a/system_app.te b/system_app.te
index eb5fa9f4c..324d74ee6 100644
--- a/system_app.te
+++ b/system_app.te
@@ -42,4 +42,40 @@ allow system_app logd_prop:property_service set;
 allow system_app anr_data_file:dir ra_dir_perms;
 allow system_app anr_data_file:file create_file_perms;
 
+allow system_app keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	exist
+	saw
+	reset
+	password
+	lock
+	unlock
+	zero
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
+auditallow system_app keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	exist
+	reset
+	password
+	lock
+	unlock
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
 control_logd(system_app)
diff --git a/system_server.te b/system_server.te
index 726ea8c0e..ae7ed570a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -359,6 +359,40 @@ allow system_server pstorefs:file r_file_perms;
 
 allow system_server system_server_service:service_manager add;
 
+allow system_server keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	exist
+	saw
+	reset
+	password
+	lock
+	unlock
+	zero
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
+auditallow system_server keystore:keystore_key {
+	test
+	get
+	insert
+	delete
+	saw
+	lock
+	unlock
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+};
+
 ###
 ### Neverallow rules
 ###
diff --git a/te_macros b/te_macros
index c72760eee..4199d6e30 100644
--- a/te_macros
+++ b/te_macros
@@ -342,3 +342,15 @@ define(`control_logd', `
 # to permit control commands
 unix_socket_connect($1, logd, logd)
 ')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+  allow keystore $1:dir search;
+  allow keystore $1:file { read open };
+  allow keystore $1:process getattr;
+  binder_call($1, keystore)
+')
diff --git a/wpa.te b/wpa.te
index 761d3451a..7b1a8751d 100644
--- a/wpa.te
+++ b/wpa.te
@@ -17,13 +17,21 @@ allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
 
 binder_use(wpa)
-binder_call(wpa, keystore)
 
 # Create a socket for receiving info from wpa
 type_transition wpa wifi_data_file:dir wpa_socket "sockets";
 allow wpa wpa_socket:dir create_dir_perms;
 allow wpa wpa_socket:sock_file create_file_perms;
 
+use_keystore(wpa)
+
+# WPA (wifi) has a restricted set of permissions from the default.
+allow wpa keystore:keystore_key {
+	get
+	sign
+	verify
+};
+
 # Allow wpa_cli to work. wpa_cli creates a socket in
 # /data/misc/wifi/sockets which wpa supplicant communicates with.
 userdebug_or_eng(`