sepolicy: Permission changes for new wifi mainline module am: 3aa1c1725e am: 3754b4b007
am: 900dbb91d3
Change-Id: I1a1ed5fc5c2dc5c6f334ebb78b8c6efbc67bac11
This commit is contained in:
Roshan Pius
android-build-merger
commit
cf384039af
12 changed files with 80 additions and 9 deletions
|
|
@ -10,4 +10,7 @@
|
|||
device_config_sys_traced_prop
|
||||
runtime_apex_dir
|
||||
system_ashmem_hwservice
|
||||
vendor_apex_file))
|
||||
vendor_apex_file
|
||||
wifi_stack
|
||||
wifi_stack_service
|
||||
wifi_stack_tmpfs))
|
||||
|
|
|
|||
|
|
@ -507,6 +507,7 @@
|
|||
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
|
||||
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
|
||||
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
|
||||
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
|
||||
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
|
||||
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
|
||||
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
|
||||
|
|
|
|||
|
|
@ -35,4 +35,5 @@ neverallow {
|
|||
-shell
|
||||
userdebug_or_eng(`-su')
|
||||
-system_app
|
||||
-wifi_stack
|
||||
} runtime_event_log_tags_file:file no_rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -143,6 +143,8 @@ isSystemServer=true domain=system_server_startup
|
|||
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
||||
user=system seinfo=platform domain=system_app type=system_app_data_file
|
||||
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
|
||||
# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
|
||||
user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
|
||||
user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
|
||||
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
||||
user=secure_element seinfo=platform domain=secure_element levelFrom=all
|
||||
|
|
|
|||
|
|
@ -218,5 +218,6 @@ wifi u:object_r:wifi_service:s0
|
|||
wificond u:object_r:wificond_service:s0
|
||||
wifiaware u:object_r:wifiaware_service:s0
|
||||
wifirtt u:object_r:rttmanager_service:s0
|
||||
wifi_stack u:object_r:wifi_stack_service:s0
|
||||
window u:object_r:window_service:s0
|
||||
* u:object_r:default_android_service:s0
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ allow vold_prepare_subdirs {
|
|||
rollback_data_file
|
||||
storaged_data_file
|
||||
vold_data_file
|
||||
wifi_data_file
|
||||
}:dir { create_dir_perms relabelto };
|
||||
allow vold_prepare_subdirs {
|
||||
backup_data_file
|
||||
|
|
@ -31,6 +32,7 @@ allow vold_prepare_subdirs {
|
|||
storaged_data_file
|
||||
system_data_file
|
||||
vold_data_file
|
||||
wifi_data_file
|
||||
}:file { getattr unlink };
|
||||
|
||||
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
|
||||
|
|
|
|||
56
private/wifi_stack.te
Normal file
56
private/wifi_stack.te
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
# Wifi Stack Mandatory
|
||||
typeattribute wifi_stack coredomain;
|
||||
|
||||
app_domain(wifi_stack)
|
||||
net_domain(wifi_stack)
|
||||
|
||||
# Data file accesses.
|
||||
# Manage /data/misc/wifi.
|
||||
allow wifi_stack wifi_data_file:dir create_dir_perms;
|
||||
allow wifi_stack wifi_data_file:file create_file_perms;
|
||||
allow wifi_stack radio_data_file:dir search;
|
||||
|
||||
# Property accesses
|
||||
userdebug_or_eng(`
|
||||
set_prop(wifi_stack, wifi_log_prop)
|
||||
|
||||
# Allow wifi_stack to read dmesg
|
||||
# TODO(b/137085509): Remove this.
|
||||
allow wifi_stack kernel:system syslog_read;
|
||||
')
|
||||
|
||||
# ctl interface
|
||||
|
||||
# Perform Binder IPC.
|
||||
binder_use(wifi_stack)
|
||||
allow wifi_stack app_api_service:service_manager find;
|
||||
allow wifi_stack network_score_service:service_manager find;
|
||||
allow wifi_stack netd_service:service_manager find;
|
||||
allow wifi_stack network_stack_service:service_manager find;
|
||||
allow wifi_stack radio_service:service_manager find;
|
||||
allow wifi_stack wificond_service:service_manager find;
|
||||
allow wifi_stack wifiscanner_service:service_manager find;
|
||||
binder_call(wifi_stack, system_server)
|
||||
binder_call(wifi_stack, wificond)
|
||||
binder_call(wifi_stack, network_stack)
|
||||
|
||||
# Perform HwBinder IPC.
|
||||
hwbinder_use(wifi_stack)
|
||||
hal_client_domain(wifi_stack, hal_wifi)
|
||||
hal_client_domain(wifi_stack, hal_wifi_hostapd)
|
||||
hal_client_domain(wifi_stack, hal_wifi_supplicant)
|
||||
|
||||
# Allow WifiService to start, stop, and read wifi-specific trace events.
|
||||
allow wifi_stack debugfs_tracing_instances:dir search;
|
||||
allow wifi_stack debugfs_wifi_tracing:dir search;
|
||||
allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
|
||||
|
||||
# Connectivity
|
||||
allow wifi_stack self:capability { net_bind_service net_admin net_raw };
|
||||
allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow wifi_stack self:netlink_route_socket nlmsg_write;
|
||||
allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
# dumpstate support
|
||||
allow wifi_stack dumpstate:fd use;
|
||||
allow wifi_stack dumpstate:fifo_file write;
|
||||
|
|
@ -367,8 +367,8 @@ binder_call({ appdomain -coredomain }, ashmem_server)
|
|||
###
|
||||
|
||||
# Superuser capabilities.
|
||||
# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
|
||||
neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
|
||||
# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
|
||||
neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
|
||||
|
||||
# Block device access.
|
||||
neverallow appdomain dev_type:blk_file { read write };
|
||||
|
|
@ -491,9 +491,8 @@ neverallow appdomain
|
|||
neverallow appdomain
|
||||
systemkeys_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow appdomain
|
||||
wifi_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -wifi_stack }
|
||||
wifi_data_file:dir_file_class_set *;
|
||||
neverallow appdomain
|
||||
dhcp_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
|
@ -516,7 +515,7 @@ neverallow appdomain
|
|||
proc:dir_file_class_set write;
|
||||
|
||||
# Access to syslog(2) or /proc/kmsg.
|
||||
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
|
||||
neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
|
||||
|
||||
# SELinux is not an API for apps to use
|
||||
neverallow { appdomain -shell } *:security { compute_av check_context };
|
||||
|
|
|
|||
|
|
@ -141,6 +141,7 @@ neverallow {
|
|||
-network_stack
|
||||
-netd
|
||||
-netutils_wrapper
|
||||
-wifi_stack
|
||||
} netd_service:service_manager find;
|
||||
|
||||
# only system_server, dumpstate and network stack app may find dnsresolver service
|
||||
|
|
@ -151,11 +152,12 @@ neverallow {
|
|||
-network_stack
|
||||
-netd
|
||||
-netutils_wrapper
|
||||
-wifi_stack
|
||||
} dnsresolver_service:service_manager find;
|
||||
|
||||
# apps may not interact with netd over binder.
|
||||
neverallow { appdomain -network_stack } netd:binder call;
|
||||
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
|
||||
neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
|
||||
neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
|
||||
|
||||
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
|
||||
# leaked to other processes. Make sure it never leaks.
|
||||
|
|
|
|||
|
|
@ -182,6 +182,7 @@ type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_s
|
|||
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
|
||||
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
|
||||
type wifi_service, app_api_service, system_server_service, service_manager_type;
|
||||
type wifi_stack_service, system_server_service, service_manager_type;
|
||||
type wificond_service, service_manager_type;
|
||||
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
|
||||
type window_service, system_api_service, system_server_service, service_manager_type;
|
||||
|
|
|
|||
2
public/wifi_stack.te
Normal file
2
public/wifi_stack.te
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# Wifi Stack Mandatory
|
||||
type wifi_stack, domain;
|
||||
|
|
@ -4,6 +4,7 @@ type wificond_exec, system_file_type, exec_type, file_type;
|
|||
|
||||
binder_use(wificond)
|
||||
binder_call(wificond, system_server)
|
||||
binder_call(wificond, wifi_stack)
|
||||
|
||||
add_service(wificond, wificond_service)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue