From 97db27d8c535b8ffc704c62f2c0b65e57001649b Mon Sep 17 00:00:00 2001 From: Christopher Wiley Date: Thu, 30 Jun 2016 14:23:12 -0700 Subject: [PATCH] Define explicit label for wlan sysfs fwpath avc: denied { write } for name="fwpath" dev="sysfs" ino=6863 scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 Test: wificond and netd can write to this path, wifi works Test: `runtest frameworks-wifi` passes Bug: 29579539 Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994 (cherry picked from commit 7d13dd806f37523ba8164325fef9b000d6eacd7c) --- file.te | 2 ++ file_contexts | 1 + netd.te | 8 ++++++-- wificond.te | 2 ++ 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/file.te b/file.te index 235ac77ed..693d513c2 100644 --- a/file.te +++ b/file.te @@ -39,6 +39,8 @@ type configfs, fs_type; type sysfs_devices_system_cpu, fs_type, sysfs_type; # /sys/module/lowmemorykiller type sysfs_lowmemorykiller, fs_type, sysfs_type; +# /sys/module/wlan/parameters/fwpath +type sysfs_wlan_fwpath, fs_type, sysfs_type; type sysfs_thermal, sysfs_type, fs_type; diff --git a/file_contexts b/file_contexts index 5eec7616a..7d55abe69 100644 --- a/file_contexts +++ b/file_contexts @@ -369,6 +369,7 @@ /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0 /sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0 /sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0 +/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 ############################# # debugfs files diff --git a/netd.te b/netd.te index 9b44e4bdf..98da0122b 100644 --- a/netd.te +++ b/netd.te @@ -28,10 +28,14 @@ allow netd devpts:chr_file rw_file_perms; # For /proc/sys/net/ipv[46]/route/flush. allow netd proc_net:file write; -# For /sys/modules/bcmdhd/parameters/firmware_path -# XXX Split into its own type. +# Enables PppController and interface enumeration (among others) +r_dir_file(netd, sysfs_type) +# Allows setting interface MTU allow netd sysfs:file write; +# For /sys/modules/bcmdhd/parameters/firmware_path +allow netd sysfs_wlan_fwpath:file w_file_perms; + # TODO: added to match above sysfs rule. Remove me? allow netd sysfs_usb:file write; diff --git a/wificond.te b/wificond.te index 0da5f380b..2f100dbae 100644 --- a/wificond.te +++ b/wificond.te @@ -9,3 +9,5 @@ binder_call(wificond, system_server) binder_call(wificond, wpa) allow wificond wificond_service:service_manager { add find }; + +allow wificond sysfs_wlan_fwpath:file w_file_perms;