bff9801521
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
32 lines
1.3 KiB
Text
32 lines
1.3 KiB
Text
# userspace wifi access points
|
|
type hostapd, domain;
|
|
type hostapd_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(hostapd)
|
|
net_domain(hostapd)
|
|
allow hostapd self:capability { net_admin net_raw };
|
|
|
|
# hostapd learns about its network interface via sysfs.
|
|
allow hostapd sysfs:file r_file_perms;
|
|
# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
|
|
allow hostapd sysfs:lnk_file r_file_perms;
|
|
|
|
# Allow hostapd to access /proc/net/psched
|
|
allow hostapd proc_net:file { getattr open read };
|
|
|
|
# Various socket permissions.
|
|
allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
|
|
allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
|
|
allow hostapd self:netlink_route_socket nlmsg_write;
|
|
|
|
# hostapd can read and write WiFi related data and configuration.
|
|
# For example, the entropy file is periodically updated.
|
|
allow hostapd wifi_data_file:file rw_file_perms;
|
|
r_dir_file(hostapd, wifi_data_file)
|
|
|
|
# hostapd wants to create the directory holding its control socket.
|
|
allow hostapd hostapd_socket:dir create_dir_perms;
|
|
# hostapd needs to create, bind to, read, and write its control socket.
|
|
allow hostapd hostapd_socket:sock_file create_file_perms;
|