tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/hostapd.te

27 lines
1.1 KiB
Text
Raw Normal View History

Confine hostapd, but leave it permissive for now. Change-Id: I23a2c568e9fdd51c6c09c6c80a7ce9f2b5bd4966 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:36 +01:00
# userspace wifi access points
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 21:06:11 +01:00
net_domain(hostapd)
Confine hostapd, but leave it permissive for now. Change-Id: I23a2c568e9fdd51c6c09c6c80a7ce9f2b5bd4966 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:36 +01:00
allow hostapd self:capability { net_admin net_raw setuid setgid };
allow hostapd self:netlink_socket create_socket_perms;
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 21:06:11 +01:00
allow hostapd self:packet_socket create_socket_perms;
allow hostapd self:netlink_route_socket nlmsg_write;
Confine hostapd, but leave it permissive for now. Change-Id: I23a2c568e9fdd51c6c09c6c80a7ce9f2b5bd4966 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:36 +01:00
allow hostapd wifi_data_file:file rw_file_perms;
allow hostapd wifi_data_file:dir create_dir_perms;
Ensure that /data/misc/wifi/sockets is always labeled wpa_socket. It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets and re-create it at times, so make sure that it remains labeled correctly when re-created in this manner via a name-based type transition rule. Do the same for hostapd as it also has permissions for creating/removing this directory. <5>[83921.800071] type=1400 audit(1392997522.105:26): avc: denied { rmdir } for pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir We no longer need the type_transition for sock_file as it will inherit the type from the parent directory which is set via restorecon_recursive /data/misc/wifi/sockets or via type_transition, so drop it. Change-Id: Iffa61c426783eb03205ba6964c624c6ecea32630 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 17:28:20 +01:00
type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
Label /data/misc/wifi/hostapd with wpa_socket type. hostapd creates sockets under /data/misc/wifi/hostapd. Ensure that they are labeled correctly both at runtime (type_transition) and during the init.rc restorecon_recursive /data (file_contexts). Addresses denials such as: avc: denied { create } for pid=20476 comm="hostapd" name="wlan0" scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file avc: denied { setattr } for pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file avc: denied { unlink } for pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file Change-Id: I80a443faeb6017a9d6cbdb8da9d7416f29a7b85f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-12 20:09:17 +01:00
type_transition hostapd wifi_data_file:dir wpa_socket "hostapd";
Update hostapd domain for /data/misc/wifi/sockets label change. Change I9e35cc93abf89ce3594860aa3193f84a3b42ea6e changed the type on /data/misc/wifi/sockets to wpa_socket and change I51b09c5e40946673a38732ea9f601b2d047d3b62 fixed the type on existing devices. Consequently hostapd now needs access to wpa_socket dir and sock_file. Change-Id: I58f552b3cd55821f57e6ef33ebe6bb8587e7b3fd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 16:44:21 +01:00
allow hostapd wpa_socket:dir create_dir_perms;
allow hostapd wpa_socket:sock_file create_file_perms;
Confine hostapd, but leave it permissive for now. Change-Id: I23a2c568e9fdd51c6c09c6c80a7ce9f2b5bd4966 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:36 +01:00
allow hostapd netd:fd use;
allow hostapd netd:udp_socket { read write };
Allow netd-spawned domains to use inherited netd unix_dgram_socket. Resolves denials such as: avc: denied { read write } for pid=4346 comm="hostapd" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:hostapd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket avc: denied { read write } for pid=4348 comm="dnsmasq" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket Change-Id: Ie82f39c32c6e04bc9ef1369ca787cf80b3b4141c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-18 15:45:15 +01:00
allow hostapd netd:fifo_file { read write };
# TODO: Investigate whether these inherited sockets should be closed on exec.
Confine hostapd, but leave it permissive for now. Change-Id: I23a2c568e9fdd51c6c09c6c80a7ce9f2b5bd4966 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 19:42:36 +01:00
allow hostapd netd:netlink_kobject_uevent_socket { read write };
allow hostapd netd:netlink_nflog_socket { read write };
allow hostapd netd:netlink_route_socket { read write };
allow hostapd netd:unix_stream_socket { read write };
Allow netd-spawned domains to use inherited netd unix_dgram_socket. Resolves denials such as: avc: denied { read write } for pid=4346 comm="hostapd" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:hostapd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket avc: denied { read write } for pid=4348 comm="dnsmasq" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket Change-Id: Ie82f39c32c6e04bc9ef1369ca787cf80b3b4141c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-18 15:45:15 +01:00
allow hostapd netd:unix_dgram_socket { read write };
Reference in a new issue Copy permalink