# userspace wifi access points type hostapd, domain; type hostapd_exec, exec_type, file_type; init_daemon_domain(hostapd) net_domain(hostapd) allow hostapd self:capability { net_admin net_raw }; # hostapd learns about its network interface via sysfs. allow hostapd sysfs:file r_file_perms; # hostapd follows the /sys/class/net/wlan0 link to the PCI device. allow hostapd sysfs:lnk_file r_file_perms; # Allow hostapd to access /proc/net/psched allow hostapd proc_net:file { getattr open read }; # Various socket permissions. allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls; allow hostapd self:netlink_socket create_socket_perms_no_ioctl; allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl; allow hostapd self:packet_socket create_socket_perms_no_ioctl; allow hostapd self:netlink_route_socket nlmsg_write; # hostapd can read and write WiFi related data and configuration. # For example, the entropy file is periodically updated. allow hostapd wifi_data_file:file rw_file_perms; r_dir_file(hostapd, wifi_data_file) # hostapd wants to create the directory holding its control socket. allow hostapd hostapd_socket:dir create_dir_perms; # hostapd needs to create, bind to, read, and write its control socket. allow hostapd hostapd_socket:sock_file create_file_perms; # TODO (b/36646171) Move hostapd's data access to /data/vendor # Remove coredata_in_vendor_violators attribute. typeattribute hostapd coredata_in_vendor_violators;