sepolicy: Add new wifi keystore HAL
Moving the wpa_supplicant interaction from the binder keystore service to the new wifi keystore HAL. Denials addressed: 03-29 00:04:52.075 734 734 E SELinux : avc: denied { get } for pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0 tcontext=u:r:keystore:s0 tclass=keystore_key Bug: 34603782 Test: Able to connect to wifi passpoint networks. Denials no longer seen. Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
This commit is contained in:
parent
ad2e6166c8
commit
9af7c95f86
5 changed files with 10 additions and 13 deletions
|
@ -223,6 +223,9 @@ attribute hal_vr_server;
|
||||||
attribute hal_wifi;
|
attribute hal_wifi;
|
||||||
attribute hal_wifi_client;
|
attribute hal_wifi_client;
|
||||||
attribute hal_wifi_server;
|
attribute hal_wifi_server;
|
||||||
|
attribute hal_wifi_keystore;
|
||||||
|
attribute hal_wifi_keystore_client;
|
||||||
|
attribute hal_wifi_keystore_server;
|
||||||
attribute hal_wifi_supplicant;
|
attribute hal_wifi_supplicant;
|
||||||
attribute hal_wifi_supplicant_client;
|
attribute hal_wifi_supplicant_client;
|
||||||
attribute hal_wifi_supplicant_server;
|
attribute hal_wifi_supplicant_server;
|
||||||
|
|
2
public/hal_wifi_keystore.te
Normal file
2
public/hal_wifi_keystore.te
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# HwBinder IPC from client to server.
|
||||||
|
binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server)
|
|
@ -23,17 +23,6 @@ allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
|
||||||
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
|
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
|
||||||
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
|
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
|
||||||
|
|
||||||
# TODO(b/34131400): Use hwbinder to access keystore.
|
|
||||||
use_keystore(hal_wifi_supplicant)
|
|
||||||
binder_use(hal_wifi_supplicant)
|
|
||||||
|
|
||||||
# WPA (wifi) has a restricted set of permissions from the default.
|
|
||||||
allow hal_wifi_supplicant keystore:keystore_key {
|
|
||||||
get
|
|
||||||
sign
|
|
||||||
verify
|
|
||||||
};
|
|
||||||
|
|
||||||
# Allow wpa_cli to work. wpa_cli creates a socket in
|
# Allow wpa_cli to work. wpa_cli creates a socket in
|
||||||
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
|
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
|
||||||
userdebug_or_eng(`
|
userdebug_or_eng(`
|
||||||
|
|
|
@ -10,6 +10,9 @@ binder_call(keystore, system_server)
|
||||||
# talk to keymaster
|
# talk to keymaster
|
||||||
hal_client_domain(keystore, hal_keymaster)
|
hal_client_domain(keystore, hal_keymaster)
|
||||||
|
|
||||||
|
# Implement the wifi keystore hal.
|
||||||
|
hal_server_domain(keystore, hal_wifi_keystore)
|
||||||
|
|
||||||
allow keystore keystore_data_file:dir create_dir_perms;
|
allow keystore keystore_data_file:dir create_dir_perms;
|
||||||
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
||||||
allow keystore keystore_exec:file { getattr };
|
allow keystore keystore_exec:file { getattr };
|
||||||
|
|
4
vendor/hal_wifi_supplicant_default.te
vendored
4
vendor/hal_wifi_supplicant_default.te
vendored
|
@ -8,8 +8,8 @@ net_domain(hal_wifi_supplicant_default)
|
||||||
# Create a socket for receiving info from wpa
|
# Create a socket for receiving info from wpa
|
||||||
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
|
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
|
||||||
|
|
||||||
# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
|
# Allow wpa_supplicant to talk to Wifi Keystore HAL.
|
||||||
typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
|
hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore)
|
||||||
# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
|
# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
|
||||||
# Remove coredata_in_vendor_violators attribute.
|
# Remove coredata_in_vendor_violators attribute.
|
||||||
# wpa supplicant or equivalent
|
# wpa supplicant or equivalent
|
||||||
|
|
Loading…
Reference in a new issue