606d2fd665
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
45 lines
1.6 KiB
Text
45 lines
1.6 KiB
Text
# wificond
|
|
type wificond, domain;
|
|
type wificond_exec, exec_type, file_type;
|
|
|
|
binder_use(wificond)
|
|
binder_call(wificond, system_server)
|
|
|
|
add_service(wificond, wificond_service)
|
|
|
|
# wificond writes firmware paths to this file.
|
|
# wificond also changes the owership of this file on startup.
|
|
allow wificond sysfs_wlan_fwpath:file { w_file_perms setattr };
|
|
|
|
set_prop(wificond, wifi_prop)
|
|
set_prop(wificond, ctl_default_prop)
|
|
|
|
# create sockets to set interfaces up and down
|
|
allow wificond self:udp_socket create_socket_perms;
|
|
# setting interface state up/down is a privileged ioctl
|
|
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
|
|
allow wificond self:capability { net_admin net_raw };
|
|
# allow wificond to speak to nl80211 in the kernel
|
|
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
|
|
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
|
|
allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
r_dir_file(wificond, proc_net)
|
|
|
|
# wificond writes out configuration files for wpa_supplicant/hostapd.
|
|
# wificond also reads pid files out of this directory
|
|
allow wificond wifi_data_file:dir rw_dir_perms;
|
|
allow wificond wifi_data_file:file create_file_perms;
|
|
|
|
# wificond drops root shortly after starting
|
|
# wificond changes the ownership of some files before dropping root
|
|
allow wificond self:capability { setuid setgid setpcap chown };
|
|
|
|
# wificond cleans up sockets created by wpa_supplicant and framework
|
|
allow wificond wpa_socket:dir rw_dir_perms;
|
|
allow wificond system_wpa_socket:sock_file unlink;
|
|
allow wificond wpa_socket:sock_file unlink;
|
|
|
|
# dumpstate support
|
|
allow wificond dumpstate:fd use;
|
|
allow wificond dumpstate:fifo_file write;
|