75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
32 lines
1.3 KiB
Text
32 lines
1.3 KiB
Text
# HwBinder IPC from client to server
|
|
binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
|
|
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
|
|
|
|
hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
|
|
hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
|
|
|
|
binder_use(hal_wifi_hostapd_server)
|
|
|
|
allow hal_wifi_hostapd_server dumpstate:fifo_file write;
|
|
|
|
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
|
|
|
|
allow hal_wifi_hostapd_server sysfs_net:dir search;
|
|
|
|
# Allow hal_wifi_hostapd to access /proc/net/psched
|
|
allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
|
|
|
|
# Various socket permissions.
|
|
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
|
|
allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
|
|
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# hal_wifi_hostapd should not trust any data from sdcards
|
|
neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
|
|
neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
|