tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/vendor/hal_wifi_supplicant_default.te

33 lines
1.5 KiB
Text
Raw Normal View History

sepolicy: Make wpa_supplicant a HIDL service Note: The existing rules allowing socket communication will be removed once we migrate over to HIDL completely. (cherry-pick of 2a9595ede2c9a224686e619c2ee5c976dd324ac0) Bug: 34603782 Test: Able to connect to wifi networks. Test: Will be sending for full wifi integration tests (go/wifi-test-request) Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-02-19 06:32:32 +01:00
# wpa supplicant or equivalent
type hal_wifi_supplicant_default, domain;
hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
sepolicy: make exec_types in /vendor a subset of vendor_file_type We install all default hal implementations in /vendor/bin/hw along with a few domains that are defined in vendor policy and installed in /vendor. These files MUST be a subset of the global 'vendor_file_type' which is used to address *all files installed in /vendor* throughout the policy. Bug: 36463595 Test: Boot sailfish without any new denials Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-10 22:03:28 +02:00
type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
sepolicy: Make wpa_supplicant a HIDL service Note: The existing rules allowing socket communication will be removed once we migrate over to HIDL completely. (cherry-pick of 2a9595ede2c9a224686e619c2ee5c976dd324ac0) Bug: 34603782 Test: Able to connect to wifi networks. Test: Will be sending for full wifi integration tests (go/wifi-test-request) Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-02-19 06:32:32 +01:00
init_daemon_domain(hal_wifi_supplicant_default)
net_domain(hal_wifi_supplicant_default)
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
Allow wpa_supplicant to write to files in /proc/net. This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters. Bug: 77903086 Test: WiFi still working Change-Id: I4b5e2b59eeeb6d0ac19dbcbcf0e7e80942247893
2018-04-18 18:46:53 +02:00
# Allow wpa_supplicant to configure nl80211
Use proc_net_type instead of proc_net. This restores the change made in ag/3883322, which was inadvertently reverted with the combination of ag/3998755 and the merge of aosp/666885. Bug: 9496886 Bug: 68016944 Test: Builds, device boots, no denial seen. Change-Id: I6af83c5bf982283d69ac31c0495471079555c894
2018-05-04 15:44:02 +02:00
allow hal_wifi_supplicant_default proc_net_type:file write;
Allow wpa_supplicant to write to files in /proc/net. This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters. Bug: 77903086 Test: WiFi still working Change-Id: I4b5e2b59eeeb6d0ac19dbcbcf0e7e80942247893
2018-04-18 18:46:53 +02:00
Wifi Keystore HAL is not a HAL Wifi Keystore HAL is a HwBinder service (currently offered by keystore daemon) which is used by Wifi Supplicant HAL. This commit thus switches the SELinux policy of Wifi Keystore HAL to the approach used for non-HAL HwBinder services. The basic idea is simimilar to how we express Binder services in the policy, with two tweaks: (1) we don't have 'hwservicemanager find' and thus there's no add_hwservice macro, and (2) we need loosen the coupling between core and vendor components. For example, it should be possible to move a HwBinder service offered by a core component into another core component, without having to update the SELinux policy of the vendor image. We thus annotate all components offering HwBinder service x across the core-vendor boundary with x_server, which enables the policy of clients to contain rules of the form: binder_call(mydomain, x_server), and, if the service uses IPC callbacks, also binder_call(x_server, mydomain). Test: mmm system/sepolicy Test: sesearch indicates to changes to binder { call transfer} between keystore and hal_wifi_supplicant_default domains Bug: 36896667 Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3
2017-04-14 04:05:27 +02:00
allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
Wifi Keystore HAL is not a HAL Wifi Keystore HAL is a HwBinder service (currently offered by keystore daemon) which is used by Wifi Supplicant HAL. This commit thus switches the SELinux policy of Wifi Keystore HAL to the approach used for non-HAL HwBinder services. The basic idea is simimilar to how we express Binder services in the policy, with two tweaks: (1) we don't have 'hwservicemanager find' and thus there's no add_hwservice macro, and (2) we need loosen the coupling between core and vendor components. For example, it should be possible to move a HwBinder service offered by a core component into another core component, without having to update the SELinux policy of the vendor image. We thus annotate all components offering HwBinder service x across the core-vendor boundary with x_server, which enables the policy of clients to contain rules of the form: binder_call(mydomain, x_server), and, if the service uses IPC callbacks, also binder_call(x_server, mydomain). Test: mmm system/sepolicy Test: sesearch indicates to changes to binder { call transfer} between keystore and hal_wifi_supplicant_default domains Bug: 36896667 Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 23:56:31 +02:00
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
wpa_supplicant: move control sockets to /data/vendor Treble compliance. Bug: 70228425 Bug: 70393317 Test: complete wifi test in b/70393317 Test: Test wifi on Taimen and Sailfish Test: verify sockets exist in /data/vendor/wifi/wpa/sockets Change-Id: I217c0eda0e5af50bb603cfcc35d60bf0d9cad72e
2018-01-24 17:49:16 +01:00
allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms;
Allow wpa_supplicant to read security logging property. This is needed to allow it to log audit events, e.g. cert validation failure. Bug: 70886042 Test: manual, attempt connecting to EAP-TLS wifi with bad cert. Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
2018-02-13 17:35:10 +01:00
# Write to security logs for audit.
get_prop(hal_wifi_supplicant_default, device_logging_prop)
Hide denial for wpa_supplicant writing to /data/misc/wifi. It should instead write to /data/vendor/wifi. Bug: 36645291 Test: Built policy. Change-Id: Ib7ba3477fbc03ebf07b886c60bcf4a64b954934a
2018-03-10 00:47:47 +01:00
# Devices upgrading to P may grant this permission in device-specific
# policy along with the data_between_core_and_vendor_violators
# attribute needed for an exemption. However, devices that launch with
# P should use /data/vendor/wifi, which is already granted in core
# policy. This is dontaudited here to avoid conditional
# device-specific behavior in wpa_supplicant.
dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
Reference in a new issue Copy permalink