00b180dfb8
As reported by sepolicy-analyze -D -P /path/to/sepolicy. No semantic difference reported by sediff between the policy before and after this change. Deduplication of selinuxfs read access resolved by taking the common rules to domain.te (and thereby getting rid of the selinux_getenforce macro altogether). Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
31 lines
992 B
Text
31 lines
992 B
Text
# wpa - wpa supplicant or equivalent
|
|
type wpa, domain;
|
|
type wpa_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(wpa)
|
|
|
|
net_domain(wpa)
|
|
|
|
allow wpa kernel:system module_request;
|
|
allow wpa self:capability { setuid net_admin setgid net_raw };
|
|
allow wpa cgroup:dir create_dir_perms;
|
|
allow wpa self:netlink_route_socket nlmsg_write;
|
|
allow wpa self:netlink_socket create_socket_perms;
|
|
allow wpa self:packet_socket create_socket_perms;
|
|
allow wpa wifi_data_file:dir create_dir_perms;
|
|
allow wpa wifi_data_file:file create_file_perms;
|
|
unix_socket_send(wpa, system_wpa, system_server)
|
|
|
|
binder_use(wpa)
|
|
binder_call(wpa, keystore)
|
|
|
|
# Create a socket for receiving info from wpa
|
|
type_transition wpa wifi_data_file:dir wpa_socket "sockets";
|
|
allow wpa wpa_socket:dir create_dir_perms;
|
|
allow wpa wpa_socket:sock_file create_file_perms;
|
|
|
|
# Allow wpa_cli to work. wpa_cli creates a socket in
|
|
# /data/misc/wifi/sockets which wpa supplicant communicates with.
|
|
userdebug_or_eng(`
|
|
unix_socket_send(wpa, wpa, su)
|
|
')
|