sepolicy: Add permissions for wpa_supplicant binder

Add the necessary permissions for |wpa_supplicant| to expose a binder interface. This binder interface will be used by the newly added |wificond| service (and potentially system_server). |wpa_supplicant| also needs to invoke binder callbacks on |wificond|. Changes in the CL: 1. Allow |wpa_supplicant| to register binder service. 2. Allow |wpa_supplicant| to invoke binder calls on |wificond|. 3. Allow |wificond| to invoke binder calls on |wpa_supplicant| Denials: 06-30 08:14:42.788 400 400 E SELinux : avc: denied { add } for service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 BUG:29877467 TEST: Compiled and ensured that the selinux denials are no longer present in logs. TEST: Ran integration test to find the service. Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662
2016-06-30 08:20:29 -07:00 · 2016-06-30 08:20:29 -07:00 · 18883a93b7
commit 18883a93b7
parent f3632cf094
4 changed files with 6 additions and 0 deletions
--- a/service.te
+++ b/service.te
@ -120,3 +120,4 @@ type wifiscanner_service, system_api_service, system_server_service, service_man
 type wifi_service, app_api_service, system_server_service, service_manager_type;
 type wificond_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
+type wpa_supplicant_service, system_server_service, service_manager_type;
--- a/1
+++ b/1
@ -145,4 +145,5 @@ wifiscanner                               u:object_r:wifiscanner_service:s0
 wifi                                      u:object_r:wifi_service:s0
 wificond                                  u:object_r:wificond_service:s0
 window                                    u:object_r:window_service:s0
+wpa                                       u:object_r:wpa_supplicant_service:s0
 *                                         u:object_r:default_android_service:s0
--- a/wificond.te
+++ b/wificond.te
@ -6,5 +6,6 @@ init_daemon_domain(wificond)

 binder_use(wificond)
 binder_call(wificond, system_server)
+binder_call(wificond, wpa)

 allow wificond wificond_service:service_manager { add find };
--- a/wpa.te
+++ b/wpa.te
@ -23,7 +23,10 @@ allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)

+# Binder interface exposed by WPA.
 binder_use(wpa)
+binder_call(wpa, wificond)
+allow wpa wpa_supplicant_service:service_manager { add find };

 # Create a socket for receiving info from wpa
 type_transition wpa wifi_data_file:dir wpa_socket "sockets";