From df31f20dfe7f76cabb73eec3f3f62ca07e048bd8 Mon Sep 17 00:00:00 2001
From: Janis Danisevskis <jdanis@google.com>
Date: Mon, 1 Feb 2021 23:04:45 -0800
Subject: [PATCH] Keystore 2.0: Add wifi namespace to sepolicy.

Add the wifi namespace to sepolicy and allow system_app (Settings) and
wifi_supplicant to manage/use the keys in that namespace

Test: N/A
Bug: 171305388
Change-Id: Ib6af8656b18288a1116c241c2e76d9aea421a889
---
 private/compat/30.0/30.0.ignore.cil |  1 +
 private/keystore2_key_contexts      |  5 +++++
 private/system_app.te               | 10 ++++++++++
 public/hal_wifi_supplicant.te       |  8 ++++++++
 public/keystore_keys.te             |  2 ++
 5 files changed, 26 insertions(+)
 create mode 100644 public/keystore_keys.te

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e2e96331c..397b3087e 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -99,4 +99,5 @@
     vibrator_manager_service
     vpn_management_service
     watchdog_metadata_file
+    wifi_key
     zygote_config_prop))
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index b92626554..9612b9027 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -15,3 +15,8 @@
 
 # odsign_key is a keystore2_key namespace for the on-device signing daemon.
 101            u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102            u:object_r:wifi_key:s0
+
diff --git a/private/system_app.te b/private/system_app.te
index 428483573..f9d3c1c67 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -142,6 +142,16 @@ allow system_app keystore:keystore2_key {
     use
 };
 
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+    delete
+    get_info
+    grant
+    rebind
+    update
+    use
+};
+
 # settings app reads /proc/version
 allow system_app {
   proc_version
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 79a0667e3..5fbe9f214 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,6 +19,14 @@ allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioc
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
 
+use_keystore(hal_wifi_supplicant)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+    get_info
+    use
+};
+
 ###
 ### neverallow rules
 ###
diff --git a/public/keystore_keys.te b/public/keystore_keys.te
new file mode 100644
index 000000000..3c3598487
--- /dev/null
+++ b/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;