tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/wificond.te

39 lines
1.3 KiB
Text
Raw Normal View History

Sepolicy files for wificond This sepolicy change allows wificond to run as a deamon. BUG=28865186 TEST=compile TEST=compile with ag/1059605 Add wificond to '/target/product/base.mk' Adb shell ps -A | grep 'wificond' Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d (cherry picked from commit 4ef44a616ee5888023e5c53bbc2c4df6549f748a)
2016-05-20 04:31:20 +02:00
# wificond
type wificond, domain;
type wificond_exec, exec_type, file_type;
init_daemon_domain(wificond)
sepolicy: add sepolicy binder support for wificond This allows wificond to publish binder interface using service manager. Denial warnings: wificond: type=1400 audit(0.0:8): avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 wificond: type=1400 audit(0.0:9): avc: denied { transfer } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 servicemanager: type=1400 audit(0.0:10): avc: denied { search } for name="6085" dev="proc" ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=dir permissive=1 servicemanager: type=1400 audit(0.0:11): avc: denied { read } for name="current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:13): avc: denied { getattr } for scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process permissive=1 SELinux : avc: denied { add } for service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0 tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1 BUG=28867093 TEST=compile TEST=use a client to call wificond service through binder Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f (cherry picked from commit d56bcb1c5452c8dcdda7e4ef5d0f44b91b6bb08b)
2016-06-03 19:08:56 +02:00
binder_use(wificond)
binder_call(wificond, system_server)
sepolicy: Add permissions for wpa_supplicant binder Add the necessary permissions for |wpa_supplicant| to expose a binder interface. This binder interface will be used by the newly added |wificond| service (and potentially system_server). |wpa_supplicant| also needs to invoke binder callbacks on |wificond|. Changes in the CL: 1. Allow |wpa_supplicant| to register binder service. 2. Allow |wpa_supplicant| to invoke binder calls on |wificond|. 3. Allow |wificond| to invoke binder calls on |wpa_supplicant| Denials: 06-30 08:14:42.788 400 400 E SELinux : avc: denied { add } for service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 BUG:29877467 TEST: Compiled and ensured that the selinux denials are no longer present in logs. TEST: Ran integration test to find the service. Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662 (cherry picked from commit 18883a93b795da6409beeddf2c6ce34ce8234cb0)
2016-06-30 17:20:29 +02:00
binder_call(wificond, wpa)
sepolicy: add sepolicy binder support for wificond This allows wificond to publish binder interface using service manager. Denial warnings: wificond: type=1400 audit(0.0:8): avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 wificond: type=1400 audit(0.0:9): avc: denied { transfer } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 servicemanager: type=1400 audit(0.0:10): avc: denied { search } for name="6085" dev="proc" ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=dir permissive=1 servicemanager: type=1400 audit(0.0:11): avc: denied { read } for name="current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:13): avc: denied { getattr } for scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process permissive=1 SELinux : avc: denied { add } for service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0 tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1 BUG=28867093 TEST=compile TEST=use a client to call wificond service through binder Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f (cherry picked from commit d56bcb1c5452c8dcdda7e4ef5d0f44b91b6bb08b)
2016-06-03 19:08:56 +02:00
allow wificond wificond_service:service_manager { add find };
Define explicit label for wlan sysfs fwpath avc: denied { write } for name="fwpath" dev="sysfs" ino=6863 scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 Test: wificond and netd can write to this path, wifi works Test: `runtest frameworks-wifi` passes Bug: 29579539 Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994 (cherry picked from commit 7d13dd806f37523ba8164325fef9b000d6eacd7c)
2016-06-30 23:23:12 +02:00
allow wificond sysfs_wlan_fwpath:file w_file_perms;
Separate permissions to set WiFi related properties wificond would like to be able to set WiFi related properties without access to the rest of the system properties. Today, this only involves marking the driver as loaded or unloaded. avc: denied { write } for name="property_service" dev="tmpfs" ino=10100 scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Bug: 29579539 Test: No avc denials related to system properties across various WiFi events. Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f (cherry picked from commit 1ebfdd6a14fb21705664c8e144f151b39c3d73f8)
2016-06-29 20:28:20 +02:00
set_prop(wificond, wifi_prop)
Give wificond permission to start/stop init services Bug: 30292103 Change-Id: I433f2b8cc912b42bf026f6e908fd458a07c41fc2 Test: Integration tests reveal wificond can start/stop hostapd. (cherry picked from commit 1faa9c55daed010398bd2586e418b66f3c182a24)
2016-07-22 23:34:26 +02:00
set_prop(wificond, ctl_default_prop)
Allow wificond to mark interfaces up and down avc: denied { create } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0 avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=capability permissive=0 avc: denied { read } for name="psched" dev="proc" ino=4026535377 scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Test: fixes above avc denials Bug: 29579539 Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b (cherry picked from commit b6a6561d0ef37ad86802ef1ceeefc59a42612435)
2016-07-01 02:48:12 +02:00
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
add netlink socket permission for wificond wificond: type=1400 audit(0.0:43): avc: denied { create } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1 wificond: type=1400 audit(0.0:44): avc: denied { setopt } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1 wificond: type=1400 audit(0.0:45): avc: denied { net_admin } for capability=12 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=capability permissive=1 wificond: type=1400 audit(0.0:46): avc: denied { bind } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1 wificond: type=1400 audit(0.0:47): avc: denied { write } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1 wificond: type=1400 audit(0.0:48): avc: denied { read } for path="socket:[35892]" dev="sockfs" ino=35892 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1 TEST=compile and run Change-Id: I5e1befabca7388d5b2145f49462e5cff872d9f43 (cherry picked from commit 781cfd8255ff476598bcd9a111d2ded3e4a5ecf7)
2016-07-19 01:48:50 +02:00
allow wificond self:capability { net_admin net_raw };
allow wificond self:netlink_socket create_socket_perms;
Allow wificond to mark interfaces up and down avc: denied { create } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0 avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=capability permissive=0 avc: denied { read } for name="psched" dev="proc" ino=4026535377 scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Test: fixes above avc denials Bug: 29579539 Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b (cherry picked from commit b6a6561d0ef37ad86802ef1ceeefc59a42612435)
2016-07-01 02:48:12 +02:00
r_dir_file(wificond, proc_net)
Allow wificond to write wifi component config files We need the ability to set file permissions, create files, write files, chown files. Test: integration tests that start/stop hostapd and write its config file via wificond pass without SELinux denials. Bug: 30040724 Change-Id: Iee15fb36a6a4a89009d4b45281060379d70cd53c (cherry picked from commit f83da1421b38b021d9c0b829e791c84a1c6d9e1e)
2016-07-21 18:12:28 +02:00
# wificond writes out configuration files for wpa_supplicant/hostapd.
Allow wificond to drop signals on hostapd Stopping hostapd abruptly with SIGKILL can sometimes leave the driver in a poor state. Long term, we should pro-actively go in and clean up the driver. In the short term, it helps tremendously to send SIGTERM and give hostapd time to clean itself up. Bug: 30311493 Test: With patches in this series, wificond can cleanly start and stop hostapd in integration tests. Change-Id: Ic770c2fb1a1b636fced4620fe6e24d1c8dcdfeb8 (cherry picked from commit 762cb7c4aaa1d20309edbb07c932ae12669506a5)
2016-07-29 19:26:54 +02:00
# wificond also reads pid files out of this directory
Allow wificond to write wifi component config files We need the ability to set file permissions, create files, write files, chown files. Test: integration tests that start/stop hostapd and write its config file via wificond pass without SELinux denials. Bug: 30040724 Change-Id: Iee15fb36a6a4a89009d4b45281060379d70cd53c (cherry picked from commit f83da1421b38b021d9c0b829e791c84a1c6d9e1e)
2016-07-21 18:12:28 +02:00
allow wificond wifi_data_file:dir rw_dir_perms;
allow wificond wifi_data_file:file create_file_perms;
# TODO: Remove fowner when wificond runs as the wifi user b/29870863
# We need this today, because we need to chmod hostapd/supplicant
# files, which are owned by system or wifi (not wificond's root).
allow wificond self:capability { chown fowner };
Allow wificond to drop signals on hostapd Stopping hostapd abruptly with SIGKILL can sometimes leave the driver in a poor state. Long term, we should pro-actively go in and clean up the driver. In the short term, it helps tremendously to send SIGTERM and give hostapd time to clean itself up. Bug: 30311493 Test: With patches in this series, wificond can cleanly start and stop hostapd in integration tests. Change-Id: Ic770c2fb1a1b636fced4620fe6e24d1c8dcdfeb8 (cherry picked from commit 762cb7c4aaa1d20309edbb07c932ae12669506a5)
2016-07-29 19:26:54 +02:00
# wificond tries to gracefully kill hostapd by sending it a signal.
# wificond checks for hostapd liveliness with signull.
allow wificond hostapd:process { signal signull };
# wificond needs kill to drop mad signals on hostapd.
allow wificond self:capability kill;
Reference in a new issue Copy permalink