Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.
Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.
Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.
Test: Setup Wizard (incl. adding a Google Account) completes fine with
Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079
Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-23 00:12:19 +01:00
|
|
|
# HwBinder IPC from client to server, and callbacks
|
|
|
|
binder_call(hal_wifi_client, hal_wifi_server)
|
|
|
|
binder_call(hal_wifi_server, hal_wifi_client)
|
2016-10-04 19:31:34 +02:00
|
|
|
|
2017-04-14 04:05:27 +02:00
|
|
|
add_hwservice(hal_wifi_server, hal_wifi_hwservice)
|
|
|
|
allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
|
|
|
|
|
2016-10-04 19:31:34 +02:00
|
|
|
r_dir_file(hal_wifi, proc_net)
|
|
|
|
r_dir_file(hal_wifi, sysfs_type)
|
|
|
|
|
2017-03-03 14:58:03 +01:00
|
|
|
set_prop(hal_wifi, wifi_prop)
|
|
|
|
|
2016-10-04 19:31:34 +02:00
|
|
|
# allow hal wifi set interfaces up and down
|
|
|
|
allow hal_wifi self:udp_socket create_socket_perms;
|
|
|
|
allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
|
|
|
|
|
2017-11-09 23:51:26 +01:00
|
|
|
allow hal_wifi self:global_capability_class_set { net_admin net_raw };
|
2016-10-04 19:31:34 +02:00
|
|
|
# allow hal_wifi to speak to nl80211 in the kernel
|
|
|
|
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
|
|
|
|
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
|
|
|
|
allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
|
2016-12-12 19:18:51 +01:00
|
|
|
# hal_wifi writes firmware paths to this file.
|
|
|
|
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
|
2017-05-23 12:20:04 +02:00
|
|
|
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
|
2017-11-09 23:51:26 +01:00
|
|
|
allow hal_wifi proc_modules:file { getattr open read };
|
2017-12-15 23:01:44 +01:00
|
|
|
|
|
|
|
# allow hal_wifi to write into /data/vendor/tombstones/wifi
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
|
|
|
|
allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
|
|
|
|
')
|