Keystore 2.0: Allow system_server to manage wifi keys

This is needed because Wifi module needs to import and generate keys and it runs in system_server. Also, remove "grant" from system_app and system_server since there is no need to grant any keys. Test: Create an enterprise wifi config with EAP-TLS Bug: 171305388 Change-Id: I50c25f2fe52e968c8cdf1ea20d110f9f052699db
2021-02-09 20:31:01 +00:00 · 2021-02-09 20:31:01 +00:00 · 20bc79bb3f
commit 20bc79bb3f
parent 6691c9c411
2 changed files with 9 additions and 1 deletions
--- a/private/system_app.te
+++ b/private/system_app.te
@ -146,7 +146,6 @@ allow system_app keystore:keystore2_key {
 allow system_app wifi_key:keystore2_key {
    delete
    get_info
-    grant
    rebind
    update
    use
--- a/private/system_server.te
+++ b/private/system_server.te
@ -871,6 +871,15 @@ allow system_server keystore:keystore2_key {
 	use
 };

+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;