tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/wpa.te

40 lines
1.1 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
# wpa - wpa supplicant or equivalent
type wpa, domain;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 21:06:11 +01:00
net_domain(wpa)
Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:41 +01:00
allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 21:06:11 +01:00
allow wpa self:netlink_route_socket nlmsg_write;
allow wpa self:netlink_socket create_socket_perms;
allow wpa self:packet_socket create_socket_perms;
Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:41 +01:00
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server)
Allow wpa to perform binder IPC to keystore. Addresses denials such as: avc: denied { call } for pid=2275 comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder Change-Id: I8ab148046dd06f56630a2876db787b293e14c0ae Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-12 21:30:47 +01:00
binder_use(wpa)
Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:41 +01:00
# Create a socket for receiving info from wpa
Ensure that /data/misc/wifi/sockets is always labeled wpa_socket. It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets and re-create it at times, so make sure that it remains labeled correctly when re-created in this manner via a name-based type transition rule. Do the same for hostapd as it also has permissions for creating/removing this directory. <5>[83921.800071] type=1400 audit(1392997522.105:26): avc: denied { rmdir } for pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir We no longer need the type_transition for sock_file as it will inherit the type from the parent directory which is set via restorecon_recursive /data/misc/wifi/sockets or via type_transition, so drop it. Change-Id: Iffa61c426783eb03205ba6964c624c6ecea32630 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 17:28:20 +01:00
type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir create_dir_perms;
Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:41 +01:00
allow wpa wpa_socket:sock_file create_file_perms;
allow wpa_cli to work. With wpa_supplicant in enforcing, wpa_cli doesn't work. Denial: type=1400 audit(1390597866.260:59): avc: denied { write } for pid=3410 comm="wpa_supplicant" name="wpa_ctrl_4852-1" dev="mmcblk0p28" ino=618993 scontext=u:r:wpa:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file After I9e35cc93abf89ce3594860aa3193f84a3b42ea6e and I51b09c5e40946673a38732ea9f601b2d047d3b62, the /data/misc/wifi/sockets directory is labeled properly. This change allows the communication between the su domain and wpa. Steps to reproduce: Start wifi (so wpa_supplicant will run) Start wpa_cli - it will hand $ adb root $ adb shell # wpa_cli -g @android:wpa_wlan0 Bug: 12721629 Change-Id: I03170acc155ad122c5197baaf590d17fc1ace6a5
2014-01-25 00:46:27 +01:00
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
use_keystore(wpa)
# WPA (wifi) has a restricted set of permissions from the default.
allow wpa keystore:keystore_key {
get
sign
verify
};
allow wpa_cli to work. With wpa_supplicant in enforcing, wpa_cli doesn't work. Denial: type=1400 audit(1390597866.260:59): avc: denied { write } for pid=3410 comm="wpa_supplicant" name="wpa_ctrl_4852-1" dev="mmcblk0p28" ino=618993 scontext=u:r:wpa:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file After I9e35cc93abf89ce3594860aa3193f84a3b42ea6e and I51b09c5e40946673a38732ea9f601b2d047d3b62, the /data/misc/wifi/sockets directory is labeled properly. This change allows the communication between the su domain and wpa. Steps to reproduce: Start wifi (so wpa_supplicant will run) Start wpa_cli - it will hand $ adb root $ adb shell # wpa_cli -g @android:wpa_wlan0 Bug: 12721629 Change-Id: I03170acc155ad122c5197baaf590d17fc1ace6a5
2014-01-25 00:46:27 +01:00
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with.
userdebug_or_eng(`
unix_socket_send(wpa, wpa, su)
')
Reference in a new issue Copy permalink