Commit graph

19 commits

Author SHA1 Message Date
Chris Weir
6e92194802 Allow wpa_supplicant to access Netlink Interceptor
wpa_supplicant needs permission to access the Netlink Interceptor HAL.

Bug: 224844967
Test: Modified version of wpa_supplicant can access Netlink Interceptor
Change-Id: I80c6c980b6655beadfaf14535702ad8e96c2befe
2022-03-24 16:49:30 -07:00
Alan Stokes
607d73f286 Use proc_net_type instead of proc_net.
This restores the change made in ag/3883322, which was inadvertently
reverted with the combination of ag/3998755 and the merge of
aosp/666885.

Bug: 9496886
Bug: 68016944

Test: Builds, device boots, no denial seen.
Change-Id: I6af83c5bf982283d69ac31c0495471079555c894
2018-05-04 14:44:02 +01:00
Alan Stokes
0bff1ac478 Allow wpa_supplicant to write to files in /proc/net. am: 72ed615228
am: 2ee3ad73b8

Change-Id: Ia55c4af1fcee75ada0e67a162fdb92ecc0089312
2018-04-26 08:16:00 -07:00
Alan Stokes
72ed615228 Allow wpa_supplicant to write to files in /proc/net.
This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters.

Bug: 77903086
Test: WiFi still working

Change-Id: I4b5e2b59eeeb6d0ac19dbcbcf0e7e80942247893
2018-04-26 16:00:49 +01:00
Joel Galenson
90b3b4c3e0 Merge "Hide denial for wpa_supplicant writing to /data/misc/wifi." am: 1356a75fd5
am: 32c46c19eb

Change-Id: Ifd8cf3b5d9ee3f9ca7a713cd722de90bbe341fb2
2018-03-12 20:34:11 +00:00
Joel Galenson
cc9b30a1cd Hide denial for wpa_supplicant writing to /data/misc/wifi.
It should instead write to /data/vendor/wifi.

Bug: 36645291
Test: Built policy.
Change-Id: Ib7ba3477fbc03ebf07b886c60bcf4a64b954934a
2018-03-12 09:14:38 -07:00
Pavel Grafov
54c9dafb5e Allow wpa_supplicant to read security logging property.
This is needed to allow it to log audit events, e.g. cert
validation failure.

Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Merged-In: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
2018-02-14 17:07:35 +00:00
Pavel Grafov
fb22704002 Allow wpa_supplicant to read security logging property.
This is needed to allow it to log audit events, e.g. cert
validation failure.

Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
2018-02-14 13:45:00 +00:00
Jeff Vander Stoep
b1590adc2f wpa_supplicant: move control sockets to /data/vendor
Treble compliance.

Bug: 70228425
Bug: 70393317
Test: complete wifi test in b/70393317
Test: Test wifi on Taimen and Sailfish
Test: verify sockets exist in /data/vendor/wifi/wpa/sockets
Change-Id: I217c0eda0e5af50bb603cfcc35d60bf0d9cad72e
2018-01-24 08:50:24 -08:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Alex Klyubin
632bc494f1 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3
2017-04-20 14:45:21 -07:00
Alex Klyubin
20c2d4e98c Remove unnecessary attributes
Test: mmm system/sepolicy
Bug: 34980020

(cherry picked from commit 3cc6a95944)

Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0
2017-04-14 09:39:19 -07:00
Alex Klyubin
3cc6a95944 Remove unnecessary attributes
Test: mmm system/sepolicy
Bug: 34980020
Change-Id: I36547658a844c58fcb21bb5a0244ab6f61291736
2017-04-12 18:50:46 -07:00
Sandeep Patil
2ee66e7d14 sepolicy: make exec_types in /vendor a subset of vendor_file_type
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.

Bug: 36463595
Test: Boot sailfish without any new denials

Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-11 17:20:36 +00:00
Alex Klyubin
9a14704f62 Wifi Keystore HAL is not a HAL
Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.

The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).

Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
      keystore and hal_wifi_supplicant_default domains
Bug: 36896667

Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892
2017-04-04 15:04:05 -07:00
Roshan Pius
9af7c95f86 sepolicy: Add new wifi keystore HAL
Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.

Denials addressed:
03-29 00:04:52.075   734   734 E SELinux : avc:  denied  { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key

Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e
2017-03-29 14:07:36 -07:00
Jeff Vander Stoep
4a478c47f4 Ban vendor components access to core data types
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
2017-03-28 15:44:39 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Roshan Pius
a976e64d89 sepolicy: Make wpa_supplicant a HIDL service
Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ede2) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-03-07 01:34:28 +00:00