diff --git a/public/attributes b/public/attributes index bfffbad77..b7f0701ce 100644 --- a/public/attributes +++ b/public/attributes @@ -233,6 +233,9 @@ attribute hal_vr_server; attribute hal_wifi; attribute hal_wifi_client; attribute hal_wifi_server; +attribute hal_wifi_keystore; +attribute hal_wifi_keystore_client; +attribute hal_wifi_keystore_server; attribute hal_wifi_supplicant; attribute hal_wifi_supplicant_client; attribute hal_wifi_supplicant_server; diff --git a/public/hal_wifi_keystore.te b/public/hal_wifi_keystore.te new file mode 100644 index 000000000..15368ae3e --- /dev/null +++ b/public/hal_wifi_keystore.te @@ -0,0 +1,2 @@ +# HwBinder IPC from client to server. +binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server) diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te index ed10f8d1c..49ce4fa6e 100644 --- a/public/hal_wifi_supplicant.te +++ b/public/hal_wifi_supplicant.te @@ -23,17 +23,6 @@ allow hal_wifi_supplicant wifi_data_file:file create_file_perms; allow hal_wifi_supplicant wpa_socket:dir create_dir_perms; allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms; -# TODO(b/34131400): Use hwbinder to access keystore. -use_keystore(hal_wifi_supplicant) -binder_use(hal_wifi_supplicant) - -# WPA (wifi) has a restricted set of permissions from the default. -allow hal_wifi_supplicant keystore:keystore_key { - get - sign - verify -}; - # Allow wpa_cli to work. wpa_cli creates a socket in # /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with. userdebug_or_eng(` diff --git a/public/keystore.te b/public/keystore.te index 55cafc541..456c74d50 100644 --- a/public/keystore.te +++ b/public/keystore.te @@ -10,6 +10,9 @@ binder_call(keystore, system_server) # talk to keymaster hal_client_domain(keystore, hal_keymaster) +# Implement the wifi keystore hal. +hal_server_domain(keystore, hal_wifi_keystore) + allow keystore keystore_data_file:dir create_dir_perms; allow keystore keystore_data_file:notdevfile_class_set create_file_perms; allow keystore keystore_exec:file { getattr }; diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te index 1ee95bb3d..f0a6ffc38 100644 --- a/vendor/hal_wifi_supplicant_default.te +++ b/vendor/hal_wifi_supplicant_default.te @@ -8,8 +8,8 @@ net_domain(hal_wifi_supplicant_default) # Create a socket for receiving info from wpa type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets"; -# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder -typeattribute hal_wifi_supplicant_default binder_in_vendor_violators; +# Allow wpa_supplicant to talk to Wifi Keystore HAL. +hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore) # TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor # Remove coredata_in_vendor_violators attribute. # wpa supplicant or equivalent