platform_system_sepolicy/public/wificond.te

# wificond
type wificond, domain;
type wificond_exec, system_file_type, exec_type, file_type;

binder_use(wificond)
binder_call(wificond, system_server)
binder_call(wificond, keystore)

add_service(wificond, wifinl80211_service)

# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;

r_dir_file(wificond, proc_net_type)

# allow wificond to check permission for dumping logs
allow wificond permission_service:service_manager find;

# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;

#### Offer the Wifi Keystore HwBinder service ###
hwbinder_use(wificond)
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)

# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
allow wificond keystore:keystore_key get;