tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/hal_wifi.te

36 lines
1.5 KiB
Text
Raw Normal View History

Switch Wi-Fi HAL policy to _client/_server This switches Wi-Fi HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Wi-Fi HAL. Domains which are clients of Wi-Fi HAL, such as system_server domain, are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_wifi are not granted to client domains. Domains which offer a binderized implementation of Wi-Fi HAL, such as hal_wifi_default domain, are always granted rules targeting hal_wifi. Test: Setup Wizard (incl. adding a Google Account) completes fine with Wi-Fi connectivity only Test: Toggle Wi-Fi off, on, off, on Test: Use System UI to see list of WLANs and connect to one which does not require a password, and to one which requries a PSK Test: ip6.me loads fine in Chrome over Wi-Fi Bug: 34170079 Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-23 00:12:19 +01:00
# HwBinder IPC from client to server, and callbacks
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
wifi_hal: Rename to 'hal_wifi' Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy' to conform with HIDL style guide. Denials: 01-01 21:55:23.896 2865 2865 I android.hardware.wifi@1.0-service: wifi_hal_legacy is starting up... 01-01 21:55:23.898 2865 2865 W android.hardware.wifi@1.0-service: /odm/lib64/hw/ does not exit. 01-01 21:55:23.899 2865 2865 F android.hardware.wifi@1.0-service: service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL 01-01 21:55:23.899 2865 2865 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2865 (android.hardwar) 01-01 21:55:23.901 377 377 W : debuggerd: handling request: pid=2865 uid=2000 gid=2000 tid=2865 01-01 21:55:23.907 2867 2867 E : debuggerd: Unable to connect to activity manager (connect failed: Connection refused) 01-01 21:55:23.908 2867 2867 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 01-01 21:55:23.908 2867 2867 F DEBUG : Build fingerprint: 'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys' 01-01 21:55:23.908 2867 2867 F DEBUG : Revision: '0' 01-01 21:55:23.908 2867 2867 F DEBUG : ABI: 'arm64' 01-01 21:55:23.908 2867 2867 F DEBUG : pid: 2865, tid: 2865, name: android.hardwar >>> /system/bin/hw/android.hardware.wifi@1.0-service <<< 01-01 21:55:23.909 2867 2867 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 01-01 21:55:23.910 2867 2867 F DEBUG : Abort message: 'service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL' Bug: 31821133 Test: Compiled and ensured that the selinux denials are no longer present in logs. Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
2016-10-04 19:31:34 +02:00
hal_attribute_hwservice_client drop '_client' Since this attribute just associates a hal_attribute with a given hwservice in the standard way. Bug: 80319537 Test: boot + sanity + test for denials Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e
2018-06-06 18:30:18 +02:00
hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
Add SeLinux policy for WiFi Vendor HAL AIDL service. Bug: 205044134 Test: Manual - reboot phone and check if AIDL service is running. Change-Id: I242e6ef860d2defdb0ab0a3d649b2a4e3f0de5a6
2022-07-14 23:16:31 +02:00
hal_attribute_service(hal_wifi, hal_wifi_service)
Fix SE policy violation of Wi-Fi vendor AIDL service Wi-Fi vendor AIDL service uses NDK to register itself to service manager. AServiceManager_registerLazyService registers an IClientCallback to service manager. The callback is invoked when there is a transition between having >= 1 clients and having 0 clients (or vice versa). Please check IClientCallback.aidl. As a result servicemanager may make binder call to Wi-Fi vendor AIDL service. Since this is not allowed per current SE policies, "avc denied" occurred: servicemanager: type=1400 audit(0.0:248): avc: denied { call } for scontext=u:r:servicemanager:s0 tcontext=u:r:hal_wifi_default:s0 tclass=binder permissive=0 We add SE policy for hal_wifi_default to allow binder call like this. Bug: 270511173 Test: manually build and test, check logs for avc denied Change-Id: Ia6fcf5fc1cafff0381fc9857805bdc61cc838c1e
2023-02-23 05:23:33 +01:00
binder_use(hal_wifi_server)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
r_dir_file(hal_wifi, proc_net_type)
wifi_hal: Rename to 'hal_wifi' Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy' to conform with HIDL style guide. Denials: 01-01 21:55:23.896 2865 2865 I android.hardware.wifi@1.0-service: wifi_hal_legacy is starting up... 01-01 21:55:23.898 2865 2865 W android.hardware.wifi@1.0-service: /odm/lib64/hw/ does not exit. 01-01 21:55:23.899 2865 2865 F android.hardware.wifi@1.0-service: service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL 01-01 21:55:23.899 2865 2865 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2865 (android.hardwar) 01-01 21:55:23.901 377 377 W : debuggerd: handling request: pid=2865 uid=2000 gid=2000 tid=2865 01-01 21:55:23.907 2867 2867 E : debuggerd: Unable to connect to activity manager (connect failed: Connection refused) 01-01 21:55:23.908 2867 2867 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 01-01 21:55:23.908 2867 2867 F DEBUG : Build fingerprint: 'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys' 01-01 21:55:23.908 2867 2867 F DEBUG : Revision: '0' 01-01 21:55:23.908 2867 2867 F DEBUG : ABI: 'arm64' 01-01 21:55:23.908 2867 2867 F DEBUG : pid: 2865, tid: 2865, name: android.hardwar >>> /system/bin/hw/android.hardware.wifi@1.0-service <<< 01-01 21:55:23.909 2867 2867 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 01-01 21:55:23.910 2867 2867 F DEBUG : Abort message: 'service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL' Bug: 31821133 Test: Compiled and ensured that the selinux denials are no longer present in logs. Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
2016-10-04 19:31:34 +02:00
r_dir_file(hal_wifi, sysfs_type)
Fix a sepolicy violation error for hal_wifi set_prop(hal_wifi, wifi_hal_prop) violates a neverallow rule on PRODUCT_SHIPPING_API_LEVEL=28 b/173611344#comment20 Bug: 173611344 Test: m Change-Id: I56ff953e196777ffdc7a8ca92bcf788e3431aaac
2020-11-25 02:24:41 +01:00
set_prop(hal_wifi_server, wifi_hal_prop)
sepolicy: Allow hal_wifi to set wlan driver status prop The new wifi HAL manages the wlan driver and hence needs to be able to load/unload the driver. The "wlan.driver.status" is used to indicate the state of the driver to the rest of the system. There are .rc scripts for example which wait for the state of this property. Denials: 03-01 13:31:43.394 476 476 W android.hardwar: type=1400 audit(0.0:7243): avc: denied { read } for name="u:object_r:wifi_prop:s0" dev="tmpfs" ino=10578 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=0 03-01 13:31:43.399 476 476 E libc : Access denied finding property "wlan.driver.status" Bug: 35765841 Test: Denials no longer seen Change-Id: I502494af7140864934038ef51cb0326ba3902c63
2017-03-03 14:58:03 +01:00
set_prop(hal_wifi, wifi_prop)
sepolicy(hal_wifi): Allow wifi HAL to access persist.vendor.debug properties We want to tweak some device params at runtime via shell (alleviates the need to recompile HAL for changing device configuration). This will help us test/teamfood couple of new features under development. Bug: 173044646 Test: Wifi HAL can read persist.vendor.debug.wifi properties. Change-Id: Iabd07e72aa5f0d97519a37d0ebb1e0a3458b6d06
2020-11-12 23:21:41 +01:00
userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
sepolicy: Allow hal_wifi to set wlan driver status prop The new wifi HAL manages the wlan driver and hence needs to be able to load/unload the driver. The "wlan.driver.status" is used to indicate the state of the driver to the rest of the system. There are .rc scripts for example which wait for the state of this property. Denials: 03-01 13:31:43.394 476 476 W android.hardwar: type=1400 audit(0.0:7243): avc: denied { read } for name="u:object_r:wifi_prop:s0" dev="tmpfs" ino=10578 scontext=u:r:hal_wifi_default:s0 tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=0 03-01 13:31:43.399 476 476 E libc : Access denied finding property "wlan.driver.status" Bug: 35765841 Test: Denials no longer seen Change-Id: I502494af7140864934038ef51cb0326ba3902c63
2017-03-03 14:58:03 +01:00
Wifi HAL SIOCETHTOOL sepolicy Allow wifi HAL to use SIOCETHTOOL. This permission is needed to get factory MAC address of the device. Bug: 111634904 Test: Manual check that the device can get factory MAC address Change-Id: I50e91ef7390ad4fba6e014990ee23feb777c4391
2018-12-05 02:21:19 +01:00
# allow hal wifi set interfaces up and down and get the factory MAC
wifi_hal: Rename to 'hal_wifi' Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy' to conform with HIDL style guide. Denials: 01-01 21:55:23.896 2865 2865 I android.hardware.wifi@1.0-service: wifi_hal_legacy is starting up... 01-01 21:55:23.898 2865 2865 W android.hardware.wifi@1.0-service: /odm/lib64/hw/ does not exit. 01-01 21:55:23.899 2865 2865 F android.hardware.wifi@1.0-service: service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL 01-01 21:55:23.899 2865 2865 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2865 (android.hardwar) 01-01 21:55:23.901 377 377 W : debuggerd: handling request: pid=2865 uid=2000 gid=2000 tid=2865 01-01 21:55:23.907 2867 2867 E : debuggerd: Unable to connect to activity manager (connect failed: Connection refused) 01-01 21:55:23.908 2867 2867 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 01-01 21:55:23.908 2867 2867 F DEBUG : Build fingerprint: 'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys' 01-01 21:55:23.908 2867 2867 F DEBUG : Revision: '0' 01-01 21:55:23.908 2867 2867 F DEBUG : ABI: 'arm64' 01-01 21:55:23.908 2867 2867 F DEBUG : pid: 2865, tid: 2865, name: android.hardwar >>> /system/bin/hw/android.hardware.wifi@1.0-service <<< 01-01 21:55:23.909 2867 2867 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 01-01 21:55:23.910 2867 2867 F DEBUG : Abort message: 'service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL' Bug: 31821133 Test: Compiled and ensured that the selinux denials are no longer present in logs. Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
2016-10-04 19:31:34 +02:00
allow hal_wifi self:udp_socket create_socket_perms;
Wifi HAL SIOCETHTOOL sepolicy Allow wifi HAL to use SIOCETHTOOL. This permission is needed to get factory MAC address of the device. Bug: 111634904 Test: Manual check that the device can get factory MAC address Change-Id: I50e91ef7390ad4fba6e014990ee23feb777c4391
2018-12-05 02:21:19 +01:00
allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
wifi_hal: Rename to 'hal_wifi' Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy' to conform with HIDL style guide. Denials: 01-01 21:55:23.896 2865 2865 I android.hardware.wifi@1.0-service: wifi_hal_legacy is starting up... 01-01 21:55:23.898 2865 2865 W android.hardware.wifi@1.0-service: /odm/lib64/hw/ does not exit. 01-01 21:55:23.899 2865 2865 F android.hardware.wifi@1.0-service: service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL 01-01 21:55:23.899 2865 2865 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2865 (android.hardwar) 01-01 21:55:23.901 377 377 W : debuggerd: handling request: pid=2865 uid=2000 gid=2000 tid=2865 01-01 21:55:23.907 2867 2867 E : debuggerd: Unable to connect to activity manager (connect failed: Connection refused) 01-01 21:55:23.908 2867 2867 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 01-01 21:55:23.908 2867 2867 F DEBUG : Build fingerprint: 'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys' 01-01 21:55:23.908 2867 2867 F DEBUG : Revision: '0' 01-01 21:55:23.908 2867 2867 F DEBUG : ABI: 'arm64' 01-01 21:55:23.908 2867 2867 F DEBUG : pid: 2865, tid: 2865, name: android.hardwar >>> /system/bin/hw/android.hardware.wifi@1.0-service <<< 01-01 21:55:23.909 2867 2867 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 01-01 21:55:23.910 2867 2867 F DEBUG : Abort message: 'service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL' Bug: 31821133 Test: Compiled and ensured that the selinux denials are no longer present in logs. Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
2016-10-04 19:31:34 +02:00
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow hal_wifi self:global_capability_class_set { net_admin net_raw };
wifi_hal: Rename to 'hal_wifi' Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy' to conform with HIDL style guide. Denials: 01-01 21:55:23.896 2865 2865 I android.hardware.wifi@1.0-service: wifi_hal_legacy is starting up... 01-01 21:55:23.898 2865 2865 W android.hardware.wifi@1.0-service: /odm/lib64/hw/ does not exit. 01-01 21:55:23.899 2865 2865 F android.hardware.wifi@1.0-service: service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL 01-01 21:55:23.899 2865 2865 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2865 (android.hardwar) 01-01 21:55:23.901 377 377 W : debuggerd: handling request: pid=2865 uid=2000 gid=2000 tid=2865 01-01 21:55:23.907 2867 2867 E : debuggerd: Unable to connect to activity manager (connect failed: Connection refused) 01-01 21:55:23.908 2867 2867 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 01-01 21:55:23.908 2867 2867 F DEBUG : Build fingerprint: 'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys' 01-01 21:55:23.908 2867 2867 F DEBUG : Revision: '0' 01-01 21:55:23.908 2867 2867 F DEBUG : ABI: 'arm64' 01-01 21:55:23.908 2867 2867 F DEBUG : pid: 2865, tid: 2865, name: android.hardwar >>> /system/bin/hw/android.hardware.wifi@1.0-service <<< 01-01 21:55:23.909 2867 2867 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 01-01 21:55:23.910 2867 2867 F DEBUG : Abort message: 'service.cpp:59] Check failed: service->registerAsService("wifi") == android::NO_ERROR (service->registerAsService("wifi")=-2147483646, android::NO_ERROR=0) Failed to register wifi HAL' Bug: 31821133 Test: Compiled and ensured that the selinux denials are no longer present in logs. Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
2016-10-04 19:31:34 +02:00
# allow hal_wifi to speak to nl80211 in the kernel
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
hal_wifi: Allow HAL to reload wifi firmware Need write permissions on the specified sysfs path for reloading firmware. Denials: 01-21 23:39:01.650 4669 4669 W android.hardwar: type=1400 audit(0.0:103): avc: denied { write } for name="fwpath" dev="sysfs" ino=6847 scontext=u:r:hal_wifi:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 01-21 23:39:01.653 4669 4669 E android.hardware.wifi@1.0-service: Failed to open wlan fw path param: Permission denied Bug: 32018162 Test: Denials no longer present in the logs. Change-Id: I1a468e7c2a2a4360a2b61f04f1940471d52d0dd6
2016-12-12 19:18:51 +01:00
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
Add sepolicy for hal_wifi to access /proc/modules Add sepolicy to hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded. Bug: 62013623 Change-Id: Ib700170095b183a1e0e6a36b64e7c65655174f21
2017-05-23 12:20:04 +02:00
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow hal_wifi proc_modules:file { getattr open read };
Allow dumpstate to dump wlan hal log on userbuild To check issue on userbuild, wlan hal log is helpful. Bug: 122265104 Test: Manully, log collected on user build Change-Id: I5aa96aa796ca7dfb92e97df3e7be054ff79f6e3d
2019-03-15 11:11:04 +01:00
# Allow hal_wifi to send dump info to dumpstate
allow hal_wifi dumpstate:fifo_file write;
Wifi hal - Firmware dump permissions we are aiming to improve logging performance by having wifi hal directly write to the flash. Wifi hal need to be able to create, write, and delete files in a directory. This will be restricted to userdebug and eng builds only. Bug: 70170285 Test: compile, run on device Change-Id: Id0cd317411f4c393d7529aa31b501046d7350edb
2017-12-15 23:01:44 +01:00
# allow hal_wifi to write into /data/vendor/tombstones/wifi
Allow dumpstate to dump wlan hal log on userbuild To check issue on userbuild, wlan hal log is helpful. Bug: 122265104 Test: Manully, log collected on user build Change-Id: I5aa96aa796ca7dfb92e97df3e7be054ff79f6e3d
2019-03-15 11:11:04 +01:00
allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
Reference in a new issue Copy permalink