Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.
Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.
Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.
Test: Setup Wizard (incl. adding a Google Account) completes fine with
Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079
Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-23 00:12:19 +01:00
|
|
|
# HwBinder IPC from client to server, and callbacks
|
|
|
|
binder_call(hal_wifi_client, hal_wifi_server)
|
|
|
|
binder_call(hal_wifi_server, hal_wifi_client)
|
2016-10-04 19:31:34 +02:00
|
|
|
|
2018-06-06 18:30:18 +02:00
|
|
|
hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
|
2017-04-14 04:05:27 +02:00
|
|
|
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
r_dir_file(hal_wifi, proc_net_type)
|
2016-10-04 19:31:34 +02:00
|
|
|
r_dir_file(hal_wifi, sysfs_type)
|
|
|
|
|
2018-04-09 05:07:32 +02:00
|
|
|
set_prop(hal_wifi, exported_wifi_prop)
|
2017-03-03 14:58:03 +01:00
|
|
|
set_prop(hal_wifi, wifi_prop)
|
|
|
|
|
2018-12-05 02:21:19 +01:00
|
|
|
# allow hal wifi set interfaces up and down and get the factory MAC
|
2016-10-04 19:31:34 +02:00
|
|
|
allow hal_wifi self:udp_socket create_socket_perms;
|
2018-12-05 02:21:19 +01:00
|
|
|
allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
|
2016-10-04 19:31:34 +02:00
|
|
|
|
2017-11-09 23:51:26 +01:00
|
|
|
allow hal_wifi self:global_capability_class_set { net_admin net_raw };
|
2016-10-04 19:31:34 +02:00
|
|
|
# allow hal_wifi to speak to nl80211 in the kernel
|
|
|
|
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
|
|
|
|
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
|
|
|
|
allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
|
2016-12-12 19:18:51 +01:00
|
|
|
# hal_wifi writes firmware paths to this file.
|
|
|
|
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
|
2017-05-23 12:20:04 +02:00
|
|
|
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
|
2017-11-09 23:51:26 +01:00
|
|
|
allow hal_wifi proc_modules:file { getattr open read };
|
2019-03-15 11:11:04 +01:00
|
|
|
# Allow hal_wifi to send dump info to dumpstate
|
|
|
|
allow hal_wifi dumpstate:fifo_file write;
|
2017-12-15 23:01:44 +01:00
|
|
|
|
|
|
|
# allow hal_wifi to write into /data/vendor/tombstones/wifi
|
2019-03-15 11:11:04 +01:00
|
|
|
allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
|
|
|
|
allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
|