2013-10-29 19:42:36 +01:00
|
|
|
# userspace wifi access points
|
2016-07-11 20:20:33 +02:00
|
|
|
type hostapd, domain;
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
type hostapd_exec, exec_type, file_type;
|
|
|
|
|
|
2016-07-22 22:13:11 +02:00
|
|
|
|
2014-02-24 21:06:11 +01:00
|
|
|
net_domain(hostapd)
|
2016-07-11 20:20:33 +02:00
|
|
|
allow hostapd self:capability { net_admin net_raw };
|
2014-02-24 21:06:11 +01:00
|
|
|
|
2016-07-11 20:20:33 +02:00
|
|
|
# hostapd learns about its network interface via sysfs.
|
|
|
|
|
allow hostapd sysfs:file r_file_perms;
|
|
|
|
|
# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
|
|
|
|
|
allow hostapd sysfs:lnk_file r_file_perms;
|
|
|
|
|
|
|
|
|
|
# Allow hostapd to access /proc/net/psched
|
|
|
|
|
allow hostapd proc_net:file { getattr open read };
|
|
|
|
|
|
|
|
|
|
# Various socket permissions.
|
2016-05-17 06:12:17 +02:00
|
|
|
allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
|
allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
|
|
|
|
|
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
|
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
|
2014-02-24 21:06:11 +01:00
|
|
|
allow hostapd self:netlink_route_socket nlmsg_write;
|
2013-10-29 19:42:36 +01:00
|
|
|
|
2016-07-11 20:20:33 +02:00
|
|
|
# hostapd can read and write WiFi related data and configuration.
|
|
|
|
|
# For example, the entropy file is periodically updated.
|
2013-10-29 19:42:36 +01:00
|
|
|
allow hostapd wifi_data_file:file rw_file_perms;
|
2016-07-11 20:20:33 +02:00
|
|
|
r_dir_file(hostapd, wifi_data_file)
|
|
|
|
|
|
2016-07-22 23:32:38 +02:00
|
|
|
# hostapd wants to create the directory holding its control socket.
|
|
|
|
|
allow hostapd hostapd_socket:dir create_dir_perms;
|
|
|
|
|
# hostapd needs to create, bind to, read, and write its control socket.
|
2016-07-11 20:20:33 +02:00
|
|
|
allow hostapd hostapd_socket:sock_file create_file_perms;
|
