platform_system_sepolicy/public/wificond.te

32 lines
1.1 KiB
Text
Raw Normal View History

# wificond
type wificond, domain;
type wificond_exec, system_file_type, exec_type, file_type;
sepolicy: add sepolicy binder support for wificond This allows wificond to publish binder interface using service manager. Denial warnings: wificond: type=1400 audit(0.0:8): avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 wificond: type=1400 audit(0.0:9): avc: denied { transfer } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 servicemanager: type=1400 audit(0.0:10): avc: denied { search } for name="6085" dev="proc" ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=dir permissive=1 servicemanager: type=1400 audit(0.0:11): avc: denied { read } for name="current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:13): avc: denied { getattr } for scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process permissive=1 SELinux : avc: denied { add } for service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0 tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1 BUG=28867093 TEST=compile TEST=use a client to call wificond service through binder Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f (cherry picked from commit d56bcb1c5452c8dcdda7e4ef5d0f44b91b6bb08b)
2016-06-03 19:08:56 +02:00
binder_use(wificond)
binder_call(wificond, system_server)
add_service(wificond, wificond_service)
set_prop(wificond, exported_wifi_prop)
set_prop(wificond, wifi_prop)
set_prop(wificond, ctl_default_prop)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
r_dir_file(wificond, proc_net_type)
# allow wificond to check permission for dumping logs
allow wificond permission_service:service_manager find;
# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;