WFD requires revision in its SEAndroid policies due
to an OS upgrade and design re-architecture to conform
to system-wide mandates.
Change-Id: I5a9adc280cefab73d8c467379b74951fc3a88e71
In newer kernels (4.14 and above), new context pppox_socket
is defined for PPPOX sockets. For successful VPN connection,
need the corresponding pppox_socket specific rules for ppp
and mtp daemons
CRs-Fixed: 2412475
Change-Id: I3488dabcc464b81a1e1109489b5aeb7530102997
Fix sepolicy denial for location apps for open permission
required for file object with cgroup target context. Use
rw_file_perms permission macro.
Change-Id: I9a3f6a1a7ad77fb0ba4177771d3be84e6636f53d
CRs-Fixed: 2429612
Bootctl needs read access to scsi_generic node to lookup what
/dev/sgN device corresponds to the XBL partitions.
Label it and give read access to bootctl.
Change-Id: I91d54ba05dd3d5fe34296e3911537ed57e51a067
1. Add rules for accessing the capability config store.
It will be used instead of vendor properties that pass
information between system and vendor contexts.
2. Add rule to hal_wifi_supplicant for creating sockets,
fixes this error:
avc: denied { create } for comm="wpa_supplicant" scontext=u:r:hal_wifi_supplicant_default:s0 tcontext=u:r:hal_wifi_supplicant_default:s0 tclass=qipcrtr_socket permissive=0
Change-Id: I735bdc1fc1942cdf03b1dad416a81d1ec91ac44f
This is a cumulative patch which adds rules needed
for wigig and FST, including cleanup of rules that
are no longer needed, and adjustments for new sepolicy
restrictions.
Based on these changes:
1) sepolicy: Add policies for FST manager service
Add SE policies for FST Manager daemon required for
fast-session-transfer feature.
Change-Id: I3750d298c33e9f70e51545a678502b6d7dd0b0e6
2) sepolicy: allow fstman write permissions to wifi directory
FST Manager needs write permissions to wifi directory for supporting
whitelist of rate upgrate interface (wlan1)
Change-Id: I564e7da6118e17f7487242c55b0373dab8d12578
3) sepolicy: support wigig services
For managing the wigig network, define wigig services as
system service and allow access to wpa_wigig0 control socket.
wigig supplicant creates sockets under /data/misc/wifi/wigig_sockets.
CRs-Fixed: 997409
Change-Id: I8113892b7fdbf1a4f7dd4b9c7cf490264952fe69
4) sepolicy: Update policies for FST
Recent android changes removed permission for
systemserver and netd to read system properties.
Added such support as it is needed for fst feature
Change-Id: I045b7115f9a6ba5c03f7f8e510a29e847a534686
CRs-Fixed: 1028134
5) sepolicy: support wigig services and fast session transfer
Add rules for allowing wigig framework and FST to work.
Includes:
- communication between wigig framework and wigig HAL service
- permissions for wigig HAL service
- file/socket permissions for fstman daemon
- permissions for WIFI framework to operate FST.
Change-Id: Ibf0970aa0f06fac1dab4d8a2b31a9f0fc4ab3a6e
6) sepolicy: support FST in SoftAP mode
Add rules needed for supporting FST in SoftAP mode:
- Extend the wifi_vendor_hostapd_socket file definition to include
the hostapd global socket.
- Allow hostapd to send messages back to fstman event socket
- Allow fstman to communicate with hostapd global socket.
Change-Id: Ifbf38e24ff9e0834ef3f3dd8cf70d4e5ce1af4d1
7) sepolicy: add rules for wigig network performance tuner(npt)
Add rules needed to support the wigig network performance tuner.
The npt is a standalone service which provides the ability to
tune network stack parameters. It can accumulate tuning requests
from multiple clients and merge requests.
The npt provides an hwbinder service used by wigig framework
(hosted inside system_server).
The npt also listens on a unix socket, this is used by vendor
components for backward compatibility with previous implementation.
Change-Id: Iaabb4c13519c14b0e79631c7eaed7e53a1076063
8) sepolicy: add permissions to access wigig's snr_thresh sysfs
Part of FST functionality, fstman needs to access snr_thresh sysfs.
Change-Id: Ie10778c0c4b874b2ea8467f2deac26ae7d776bdc
9) sepolicy: fix hostapd rules for FST
FST was broken by commit 3e2b4523e6
("sepolicy: Adding rule for cnd"). Object was changed from
wifi_vendor_wpa_socket to wpa_socket. However wifi_vendor_wpa_socket
provides access to /data/vendor/wifi/sockets where wpa_socket
provides access to /data/misc/wifi/sockets.
Change-Id: Ia70999c3aedc4e073bfcc2ac72bde83d5b521aa4
10) sepolicy: move definitions of wigig services
Move the definitions of wigig services from common
to private, otherwise they do not work in newer version
of Android.
Change-Id: Ia4d0770314706b97ee0fea8f36fe920f0d7103cf
11) sepolicy: remove duplicate definitions of wigig and wigigp2p
wigig and wigigp2p service definitions were duplicated in
common/service_contexts and private/service_contexts,
it caused problems with OTA build.
Change-Id: Ifaeb9ffdf65be44de3ef8d15c323e436b5e04d9f
12) sepolicy: add rules for on-demand insmod/rmmod of wigig driver
Add rules to allow wigig HAL service to insmod/rmmod the wigig module,
similar to the WIFI HAL. This is needed because the wigig chip
leaks power while wigig driver is loaded, so the driver must be
unloaded when wigig framework is disabled.
Change-Id: Id96f50020b3e7028b2c6bdd319383879565087c6
13) sepolicy: fixes for wigig SoftAP (hostapd)
Added some fixes to get wigig SoftAP working.
In recent version of Android hostapd now has its own HAL domain.
Update hostapd rules to refer to this new domain.
Also, there are few small updates to refer to proper types for
vendor files and sockets.
Change-Id: If53a3674312f5a008984eb7ff2aa6026dcdf0af7
14) sepolicy: FST fixes
1. Restore access to hostapd global socket from fstman.
2. fstman now generates its configuration (fstman.ini) based
on system properties, so it needs read access to these.
3. wpa_supplicant global socket moved to vendor_wpa_wlan0,
so fstman (and other vendor services) can access it.
Change-Id: I099d7f3b187989c26666b93288b1693f5db20bec
15) sepolicy: allow platform_app to read wigig properties
WigigSettings application needs to read wigig system property.
Change-Id: Ic5e28b454bfa261b4cbd91dc76b7e2267e1acb74
16) sepolicy: fix wigignpt access to network parameters
Add rule to fix problem with accessing sysfs network
parameters on recent android versions.
Based on this audit log:
avc: denied { search } for pid=1024 comm="wigignpt" name="net" dev="sysfs" ino=41025 scontext=u:r:wigignpt:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
CRs-Fixed: 2217480
Change-Id: Ifdb8b794a4a310c1548743cc19df77d7eb0d302b
Change-Id: I0c847447acf3ffd7903a62e0139e69308dca851f
Add rules to allow hwcomposer process to open /sys/kernel/debug/ nodes
for debugfs node content dumping during HWRecovery
Change-Id: I2e3c4dec714a6b3391401bf9dd7cf9f0217270ff
For debugging watchdog issues in system_server, system_server
needs read access to binder-state file. Access to generic debugfs has
been removed for all processes except init, vendor_init & dumpstate.
This CL labels /sys/kernel/debug/binder/state file and allows
system_server, dumpstate, vendor_init & init, 'r_file_perms' access
to the same file.
The label and the associated access permissions only apply to
userdebug builds.
Change-Id: I159e39bcd05d699454797f8b1d1c17c810c99cb1
hvdcp_opti daemon needs to store some parameters under vendor
persist (/mnt/vendor/persist/hvdcp_opti/*). Add the necessary
rule for it.
Also, move hvdcp.te from generic/vendor/common to qva/vendor/common.
Change-Id: I337b9c862d15c1080f7f7de7ba2fe26111d9f02b
Add permissions to NPU DSP device so that post_boot
script can update the sysfs nodes for this device.
Change-Id: I531cc4d9feedc22c0cfe515dcf86dbd917bc280b
Grant file read access to hal_usb_default context to read
from the syfs_usb_supply file context. This allows the USB
HAL to be able to read from /sys/class/power_supply/usb/*.
Change-Id: I6ac5672a87114af09c2b9314191116dd21c9e77a
