ae8b742840
This is a cumulative patch which adds rules needed
for wigig and FST, including cleanup of rules that
are no longer needed, and adjustments for new sepolicy
restrictions.
Based on these changes:
1) sepolicy: Add policies for FST manager service
Add SE policies for FST Manager daemon required for
fast-session-transfer feature.
Change-Id: I3750d298c33e9f70e51545a678502b6d7dd0b0e6
2) sepolicy: allow fstman write permissions to wifi directory
FST Manager needs write permissions to wifi directory for supporting
whitelist of rate upgrate interface (wlan1)
Change-Id: I564e7da6118e17f7487242c55b0373dab8d12578
3) sepolicy: support wigig services
For managing the wigig network, define wigig services as
system service and allow access to wpa_wigig0 control socket.
wigig supplicant creates sockets under /data/misc/wifi/wigig_sockets.
CRs-Fixed: 997409
Change-Id: I8113892b7fdbf1a4f7dd4b9c7cf490264952fe69
4) sepolicy: Update policies for FST
Recent android changes removed permission for
systemserver and netd to read system properties.
Added such support as it is needed for fst feature
Change-Id: I045b7115f9a6ba5c03f7f8e510a29e847a534686
CRs-Fixed: 1028134
5) sepolicy: support wigig services and fast session transfer
Add rules for allowing wigig framework and FST to work.
Includes:
- communication between wigig framework and wigig HAL service
- permissions for wigig HAL service
- file/socket permissions for fstman daemon
- permissions for WIFI framework to operate FST.
Change-Id: Ibf0970aa0f06fac1dab4d8a2b31a9f0fc4ab3a6e
6) sepolicy: support FST in SoftAP mode
Add rules needed for supporting FST in SoftAP mode:
- Extend the wifi_vendor_hostapd_socket file definition to include
the hostapd global socket.
- Allow hostapd to send messages back to fstman event socket
- Allow fstman to communicate with hostapd global socket.
Change-Id: Ifbf38e24ff9e0834ef3f3dd8cf70d4e5ce1af4d1
7) sepolicy: add rules for wigig network performance tuner(npt)
Add rules needed to support the wigig network performance tuner.
The npt is a standalone service which provides the ability to
tune network stack parameters. It can accumulate tuning requests
from multiple clients and merge requests.
The npt provides an hwbinder service used by wigig framework
(hosted inside system_server).
The npt also listens on a unix socket, this is used by vendor
components for backward compatibility with previous implementation.
Change-Id: Iaabb4c13519c14b0e79631c7eaed7e53a1076063
8) sepolicy: add permissions to access wigig's snr_thresh sysfs
Part of FST functionality, fstman needs to access snr_thresh sysfs.
Change-Id: Ie10778c0c4b874b2ea8467f2deac26ae7d776bdc
9) sepolicy: fix hostapd rules for FST
FST was broken by commit 3e2b4523e6
("sepolicy: Adding rule for cnd"). Object was changed from
wifi_vendor_wpa_socket to wpa_socket. However wifi_vendor_wpa_socket
provides access to /data/vendor/wifi/sockets where wpa_socket
provides access to /data/misc/wifi/sockets.
Change-Id: Ia70999c3aedc4e073bfcc2ac72bde83d5b521aa4
10) sepolicy: move definitions of wigig services
Move the definitions of wigig services from common
to private, otherwise they do not work in newer version
of Android.
Change-Id: Ia4d0770314706b97ee0fea8f36fe920f0d7103cf
11) sepolicy: remove duplicate definitions of wigig and wigigp2p
wigig and wigigp2p service definitions were duplicated in
common/service_contexts and private/service_contexts,
it caused problems with OTA build.
Change-Id: Ifaeb9ffdf65be44de3ef8d15c323e436b5e04d9f
12) sepolicy: add rules for on-demand insmod/rmmod of wigig driver
Add rules to allow wigig HAL service to insmod/rmmod the wigig module,
similar to the WIFI HAL. This is needed because the wigig chip
leaks power while wigig driver is loaded, so the driver must be
unloaded when wigig framework is disabled.
Change-Id: Id96f50020b3e7028b2c6bdd319383879565087c6
13) sepolicy: fixes for wigig SoftAP (hostapd)
Added some fixes to get wigig SoftAP working.
In recent version of Android hostapd now has its own HAL domain.
Update hostapd rules to refer to this new domain.
Also, there are few small updates to refer to proper types for
vendor files and sockets.
Change-Id: If53a3674312f5a008984eb7ff2aa6026dcdf0af7
14) sepolicy: FST fixes
1. Restore access to hostapd global socket from fstman.
2. fstman now generates its configuration (fstman.ini) based
on system properties, so it needs read access to these.
3. wpa_supplicant global socket moved to vendor_wpa_wlan0,
so fstman (and other vendor services) can access it.
Change-Id: I099d7f3b187989c26666b93288b1693f5db20bec
15) sepolicy: allow platform_app to read wigig properties
WigigSettings application needs to read wigig system property.
Change-Id: Ic5e28b454bfa261b4cbd91dc76b7e2267e1acb74
16) sepolicy: fix wigignpt access to network parameters
Add rule to fix problem with accessing sysfs network
parameters on recent android versions.
Based on this audit log:
avc: denied { search } for pid=1024 comm="wigignpt" name="net" dev="sysfs" ino=41025 scontext=u:r:wigignpt:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
CRs-Fixed: 2217480
Change-Id: Ifdb8b794a4a310c1548743cc19df77d7eb0d302b
Change-Id: I0c847447acf3ffd7903a62e0139e69308dca851f
58 lines
2.6 KiB
Text
58 lines
2.6 KiB
Text
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following
|
|
# disclaimer in the documentation and/or other materials provided
|
|
# with the distribution.
|
|
# * Neither the name of The Linux Foundation nor the names of its
|
|
# contributors may be used to endorse or promote products derived
|
|
# from this software without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
|
|
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
|
|
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
type wigignpt, domain;
|
|
type wigignpt_exec, exec_type, vendor_file_type, file_type;
|
|
|
|
init_daemon_domain(wigignpt)
|
|
#use bypass because net_admin capability is needed
|
|
hal_server_domain_bypass(wigignpt, hal_wigig_npt)
|
|
|
|
#allows calls between client and server and vice-versa
|
|
binder_call(hal_wigig_npt_client, hal_wigig_npt_server)
|
|
binder_call(hal_wigig_npt_server, hal_wigig_npt_client)
|
|
|
|
#allow hal clients to find the service
|
|
allow hal_wigig_npt_client hal_wigig_npt_hwservice:hwservice_manager find;
|
|
|
|
#register hal service
|
|
add_hwservice(hal_wigig_npt, hal_wigig_npt_hwservice)
|
|
|
|
#allow updating network stack parameters under /proc/sys/net
|
|
#this also requires net_admin capability
|
|
allow hal_wigig_npt proc_net:file rw_file_perms;
|
|
allow hal_wigig_npt self:capability net_admin;
|
|
|
|
#update wigig0 network parameters like rps_cpus and gro_flush_timeout
|
|
allow hal_wigig_npt sysfs_net:dir search;
|
|
allow hal_wigig_npt sysfs_wigig:file rw_file_perms;
|
|
|
|
#update bond0 rps_cpus (FST)
|
|
allow hal_wigig_npt sysfs_bond0:file rw_file_perms;
|
|
|
|
#listen on /dev/socket/wigignpt
|
|
allow hal_wigig_npt hal_wigig_npt:unix_stream_socket { listen accept read write };
|