sepolicy(wifi): Allow keystore-wificond communication

Denial log: 1. 10-30 11:02:50.279 wifi 1119 1119 W HwBinder:1119_1: type=1400 audit(0.0:113): avc: denied { transfer } for scontext=u:r:wificond:s0 tcontext=u:r:keystore:s0 tclass=binder permissive=0 2. 01-15 16:24:04.214 W/keystore( 1007): type=1400 audit(0.0:109): avc: denied { call } for scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0 tclass=binder permissive=0 3. 01-16 12:11:19.704 W/keystore( 1021): type=1400 audit(0.0:163): avc: denied { transfer } for scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0 tclass=binder permissive=0 Bug: 143638513 Bug: 145310496 Test: Installed CA and wifi certificates and connects to enterprise network. No selinux denial seen from wificond and keystore. Change-Id: I9727add13844b1ff1875e493b777e3a294e00ffa
2020-01-16 10:17:20 -08:00 · 2020-01-16 10:17:20 -08:00 · d8843d1c2e
commit d8843d1c2e
parent bda9c33ab1
2 changed files with 2 additions and 1 deletions
--- a/public/keystore.te
+++ b/public/keystore.te
@ -6,6 +6,7 @@ typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
 binder_call(keystore, system_server)
+binder_call(keystore, wificond)

 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
--- a/public/wificond.te
+++ b/public/wificond.te
@ -4,6 +4,7 @@ type wificond_exec, system_file_type, exec_type, file_type;

 binder_use(wificond)
 binder_call(wificond, system_server)
+binder_call(wificond, keystore)

 add_service(wificond, wificond_service)

@ -38,5 +39,4 @@ add_hwservice(wificond, system_wifi_keystore_hwservice)

 # Allow keystore binder access to serve the HwBinder service.
 allow wificond keystore_service:service_manager find;
-allow wificond keystore:binder call;
 allow wificond keystore:keystore_key get;