platform_system_sepolicy/public/wpa.te

# wpa - wpa supplicant or equivalent
type wpa, domain, domain_deprecated;
type wpa_exec, exec_type, file_type;

net_domain(wpa)
# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;

r_dir_file(wpa, sysfs_type)
r_dir_file(wpa, proc_net)

allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
allow wpa self:netlink_route_socket nlmsg_write;
allow wpa self:netlink_socket create_socket_perms_no_ioctl;
allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;
allow wpa self:packet_socket create_socket_perms;
allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server)

# Keystore access via binder.
binder_use(wpa)

# HIDL interface exposed by WPA.
hwbinder_use(wpa)
binder_call(wpa, wificond)

# Create a socket for receiving info from wpa
allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;

use_keystore(wpa)

# WPA (wifi) has a restricted set of permissions from the default.
allow wpa keystore:keystore_key {
	get
	sign
	verify
};

# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with.
userdebug_or_eng(`
  unix_socket_send(wpa, wpa, su)
')

###
### neverallow rules
###

# wpa_supplicant should not trust any data from sdcards
neverallow wpa sdcard_type:dir ~getattr;
neverallow wpa sdcard_type:file *;
SE Android policy. 2012-01-04 18:33:27 +01:00			`# wpa - wpa supplicant or equivalent`
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c 2015-11-03 18:54:39 +01:00			`type wpa, domain, domain_deprecated;`
SE Android policy. 2012-01-04 18:33:27 +01:00			`type wpa_exec, exec_type, file_type;`

Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 21:06:11 +01:00			`net_domain(wpa)`
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe 2016-05-17 06:12:17 +02:00			`# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.`
			`allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;`
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 21:06:11 +01:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`r_dir_file(wpa, sysfs_type)`
			`r_dir_file(wpa, proc_net)`

Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:41 +01:00			`allow wpa kernel:system module_request;`
			`allow wpa self:capability { setuid net_admin setgid net_raw };`
			`allow wpa cgroup:dir create_dir_perms;`
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 21:06:11 +01:00			`allow wpa self:netlink_route_socket nlmsg_write;`
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe 2016-05-17 06:12:17 +02:00			`allow wpa self:netlink_socket create_socket_perms_no_ioctl;`
			`allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;`
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 21:06:11 +01:00			`allow wpa self:packet_socket create_socket_perms;`
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe 2016-05-17 06:12:17 +02:00			`allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };`
Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:41 +01:00			`allow wpa wifi_data_file:dir create_dir_perms;`
			`allow wpa wifi_data_file:file create_file_perms;`
			`unix_socket_send(wpa, system_wpa, system_server)`

wpa.te: Add binder permission back Adding back the binder permission to access keystore from wpa_supplicant. This was removed by mistake in the previous patch (commit#: 6caeac) to add hwbinder permissions. Denials in logs: 11-03 14:37:54.831 9011 9011 I auditd : type=1400 audit(0.0:1490): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:54.831 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:55.838 9011 9011 I ServiceManager: Waiting for service android.security.keystore... 11-03 14:37:55.834 9011 9011 I auditd : type=1400 audit(0.0:1491): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:55.834 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:56.838 9011 9011 I ServiceManager: Waiting for service android.security.keystore... 11-03 14:37:56.834 9011 9011 I auditd : type=1400 audit(0.0:1492): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:56.834 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:57.839 9011 9011 I ServiceManager: Waiting for service android.security.keystore... 11-03 14:37:57.834 9011 9011 I auditd : type=1400 audit(0.0:1493): avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 11-03 14:37:57.834 9011 9011 W wpa_supplicant: type=1400 audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 Bug: 32655747 Test: Compiles. Will send for integration testing. Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8 2016-11-04 17:02:26 +01:00			`# Keystore access via binder.`
			`binder_use(wpa)`

wpa: Add permissions for hwbinder Modify permissions for wpa_supplicant to use hwbinder (for HIDL), instead of binder. Denials: 01-15 14:31:58.573 541 541 W wpa_supplicant: type=1400 audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0 01-15 14:31:58.573 541 541 W wpa_supplicant: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0 BUG: 31365276 Test: Compiled and ensured that the selinux denials are no longer present in logs. Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2 2016-09-29 00:12:23 +02:00			`# HIDL interface exposed by WPA.`
			`hwbinder_use(wpa)`
sepolicy: Add permissions for wpa_supplicant binder Add the necessary permissions for \|wpa_supplicant\| to expose a binder interface. This binder interface will be used by the newly added \|wificond\| service (and potentially system_server). \|wpa_supplicant\| also needs to invoke binder callbacks on \|wificond\|. Changes in the CL: 1. Allow \|wpa_supplicant\| to register binder service. 2. Allow \|wpa_supplicant\| to invoke binder calls on \|wificond\|. 3. Allow \|wificond\| to invoke binder calls on \|wpa_supplicant\| Denials: 06-30 08:14:42.788 400 400 E SELinux : avc: denied { add } for service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 BUG:29877467 TEST: Compiled and ensured that the selinux denials are no longer present in logs. TEST: Ran integration test to find the service. Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662 (cherry picked from commit 18883a93b795da6409beeddf2c6ce34ce8234cb0) 2016-06-30 17:20:29 +02:00			`binder_call(wpa, wificond)`
Allow wpa to perform binder IPC to keystore. Addresses denials such as: avc: denied { call } for pid=2275 comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder Change-Id: I8ab148046dd06f56630a2876db787b293e14c0ae Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-12 21:30:47 +01:00
Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:41 +01:00			`# Create a socket for receiving info from wpa`
Ensure that /data/misc/wifi/sockets is always labeled wpa_socket. It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets and re-create it at times, so make sure that it remains labeled correctly when re-created in this manner via a name-based type transition rule. Do the same for hostapd as it also has permissions for creating/removing this directory. <5>[83921.800071] type=1400 audit(1392997522.105:26): avc: denied { rmdir } for pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir We no longer need the type_transition for sock_file as it will inherit the type from the parent directory which is set via restorecon_recursive /data/misc/wifi/sockets or via type_transition, so drop it. Change-Id: Iffa61c426783eb03205ba6964c624c6ecea32630 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-21 17:28:20 +01:00			`allow wpa wpa_socket:dir create_dir_perms;`
Confine wpa_supplicant, but leave it permissive for now. Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:41 +01:00			`allow wpa wpa_socket:sock_file create_file_perms;`
allow wpa_cli to work. With wpa_supplicant in enforcing, wpa_cli doesn't work. Denial: type=1400 audit(1390597866.260:59): avc: denied { write } for pid=3410 comm="wpa_supplicant" name="wpa_ctrl_4852-1" dev="mmcblk0p28" ino=618993 scontext=u:r:wpa:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file After I9e35cc93abf89ce3594860aa3193f84a3b42ea6e and I51b09c5e40946673a38732ea9f601b2d047d3b62, the /data/misc/wifi/sockets directory is labeled properly. This change allows the communication between the su domain and wpa. Steps to reproduce: Start wifi (so wpa_supplicant will run) Start wpa_cli - it will hand $ adb root $ adb shell # wpa_cli -g @android:wpa_wlan0 Bug: 12721629 Change-Id: I03170acc155ad122c5197baaf590d17fc1ace6a5 2014-01-25 00:46:27 +01:00
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc 2014-06-17 23:58:52 +02:00			`use_keystore(wpa)`

			`# WPA (wifi) has a restricted set of permissions from the default.`
			`allow wpa keystore:keystore_key {`
			`get`
			`sign`
			`verify`
			`};`

allow wpa_cli to work. With wpa_supplicant in enforcing, wpa_cli doesn't work. Denial: type=1400 audit(1390597866.260:59): avc: denied { write } for pid=3410 comm="wpa_supplicant" name="wpa_ctrl_4852-1" dev="mmcblk0p28" ino=618993 scontext=u:r:wpa:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file After I9e35cc93abf89ce3594860aa3193f84a3b42ea6e and I51b09c5e40946673a38732ea9f601b2d047d3b62, the /data/misc/wifi/sockets directory is labeled properly. This change allows the communication between the su domain and wpa. Steps to reproduce: Start wifi (so wpa_supplicant will run) Start wpa_cli - it will hand $ adb root $ adb shell # wpa_cli -g @android:wpa_wlan0 Bug: 12721629 Change-Id: I03170acc155ad122c5197baaf590d17fc1ace6a5 2014-01-25 00:46:27 +01:00			`# Allow wpa_cli to work. wpa_cli creates a socket in`
			`# /data/misc/wifi/sockets which wpa supplicant communicates with.`
			userdebug_or_eng(`
			`unix_socket_send(wpa, wpa, su)`
			`')`
Add wpa neverallow rule wpa should never trust any data coming from the sdcard. Add a compile time assertion to make sure no rules are ever added allowing this access. Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6 2014-10-31 21:45:30 +01:00
			`###`
			`### neverallow rules`
			`###`

			`# wpa_supplicant should not trust any data from sdcards`
			`neverallow wpa sdcard_type:dir ~getattr;`
			`neverallow wpa sdcard_type:file *;`