Merge "Keystore 2.0: Add wifi namespace to sepolicy." am: 6691c9c411

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1570000

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Id996eb24c7e76234de89fd0461f801b85752be97

private/compat/30.0/30.0.ignore.cil

@@ -100,4 +100,5 @@
     vibrator_manager_service
     vpn_management_service
     watchdog_metadata_file
+    wifi_key
     zygote_config_prop))

private/keystore2_key_contexts

@@ -15,3 +15,8 @@
 
 # odsign_key is a keystore2_key namespace for the on-device signing daemon.
 101            u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102            u:object_r:wifi_key:s0
+

private/system_app.te

@@ -142,6 +142,16 @@ allow system_app keystore:keystore2_key {
     use
 };
 
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+    delete
+    get_info
+    grant
+    rebind
+    update
+    use
+};
+
 # settings app reads /proc/version
 allow system_app {
   proc_version

public/hal_wifi_supplicant.te

@@ -19,6 +19,14 @@ allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioc
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
 
+use_keystore(hal_wifi_supplicant)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+    get_info
+    use
+};
+
 ###
 ### neverallow rules
 ###

public/keystore_keys.te

@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;