tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/hostapd.te
dcashman cc39f63773 Split general policy into public and private components. 
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00

32 lines
1.2 KiB
Text
Raw Blame History

# userspace wifi access points
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };
# hostapd learns about its network interface via sysfs.
allow hostapd sysfs:file r_file_perms;
# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
allow hostapd sysfs:lnk_file r_file_perms;
# Allow hostapd to access /proc/net/psched
allow hostapd proc_net:file { getattr open read };
# Various socket permissions.
allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
allow hostapd self:netlink_route_socket nlmsg_write;
# hostapd can read and write WiFi related data and configuration.
# For example, the entropy file is periodically updated.
allow hostapd wifi_data_file:file rw_file_perms;
r_dir_file(hostapd, wifi_data_file)
# hostapd wants to create the directory holding its control socket.
allow hostapd hostapd_socket:dir create_dir_perms;
# hostapd needs to create, bind to, read, and write its control socket.
allow hostapd hostapd_socket:sock_file create_file_perms;
Reference in a new issue View git blame Copy permalink