sepolicy(wifi): Allow keystore-wificond communication

Denial log:
1. 10-30 11:02:50.279  wifi  1119  1119 W HwBinder:1119_1:
type=1400 audit(0.0:113): avc: denied { transfer } for
scontext=u:r:wificond:s0 tcontext=u:r:keystore:s0
tclass=binder permissive=0

2. 01-15 16:24:04.214 W/keystore( 1007): type=1400
audit(0.0:109): avc: denied { call } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0

3. 01-16 12:11:19.704 W/keystore( 1021): type=1400
audit(0.0:163): avc: denied { transfer } for
scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0
tclass=binder permissive=0

Bug: 143638513
Bug: 145310496
Test: Installed CA and wifi certificates and connects
to enterprise network.
No selinux denial seen from wificond and keystore.

Change-Id: I9727add13844b1ff1875e493b777e3a294e00ffa
This commit is contained in:
Sunil Ravi 2020-01-16 10:17:20 -08:00
parent bda9c33ab1
commit d8843d1c2e
2 changed files with 2 additions and 1 deletions

View file

@ -6,6 +6,7 @@ typeattribute keystore mlstrustedsubject;
binder_use(keystore) binder_use(keystore)
binder_service(keystore) binder_service(keystore)
binder_call(keystore, system_server) binder_call(keystore, system_server)
binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms; allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms; allow keystore keystore_data_file:notdevfile_class_set create_file_perms;

View file

@ -4,6 +4,7 @@ type wificond_exec, system_file_type, exec_type, file_type;
binder_use(wificond) binder_use(wificond)
binder_call(wificond, system_server) binder_call(wificond, system_server)
binder_call(wificond, keystore)
add_service(wificond, wificond_service) add_service(wificond, wificond_service)
@ -38,5 +39,4 @@ add_hwservice(wificond, system_wifi_keystore_hwservice)
# Allow keystore binder access to serve the HwBinder service. # Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find; allow wificond keystore_service:service_manager find;
allow wificond keystore:binder call;
allow wificond keystore:keystore_key get; allow wificond keystore:keystore_key get;