tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/vendor/hostapd.te
Jeff Vander Stoep 4a478c47f4 Ban vendor components access to core data types 
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
2017-03-28 15:44:39 -07:00

37 lines
1.4 KiB
Text
Raw Blame History

# userspace wifi access points
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
init_daemon_domain(hostapd)
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };
# hostapd learns about its network interface via sysfs.
allow hostapd sysfs:file r_file_perms;
# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
allow hostapd sysfs:lnk_file r_file_perms;
# Allow hostapd to access /proc/net/psched
allow hostapd proc_net:file { getattr open read };
# Various socket permissions.
allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
allow hostapd self:netlink_route_socket nlmsg_write;
# hostapd can read and write WiFi related data and configuration.
# For example, the entropy file is periodically updated.
allow hostapd wifi_data_file:file rw_file_perms;
r_dir_file(hostapd, wifi_data_file)
# hostapd wants to create the directory holding its control socket.
allow hostapd hostapd_socket:dir create_dir_perms;
# hostapd needs to create, bind to, read, and write its control socket.
allow hostapd hostapd_socket:sock_file create_file_perms;
# TODO (b/36646171) Move hostapd's data access to /data/vendor
# Remove coredata_in_vendor_violators attribute.
typeattribute hostapd coredata_in_vendor_violators;
Reference in a new issue View git blame Copy permalink