From 20bc79bb3f07936b5bad650b95ba2567ec929a45 Mon Sep 17 00:00:00 2001
From: Pavel Grafov <pgrafov@google.com>
Date: Tue, 9 Feb 2021 20:31:01 +0000
Subject: [PATCH] Keystore 2.0: Allow system_server to manage wifi keys

This is needed because Wifi module needs to import and
generate keys and it runs in system_server.

Also, remove "grant" from system_app and system_server
since there is no need to grant any keys.

Test: Create an enterprise wifi config with EAP-TLS
Bug: 171305388
Change-Id: I50c25f2fe52e968c8cdf1ea20d110f9f052699db
---
 private/system_app.te    | 1 -
 private/system_server.te | 9 +++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/private/system_app.te b/private/system_app.te
index f9d3c1c67..0aa46e3ec 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -146,7 +146,6 @@ allow system_app keystore:keystore2_key {
 allow system_app wifi_key:keystore2_key {
     delete
     get_info
-    grant
     rebind
     update
     use
diff --git a/private/system_server.te b/private/system_server.te
index 115aff3cf..06673c3f9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -871,6 +871,15 @@ allow system_server keystore:keystore2_key {
 	use
 };
 
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;