a976e64d89
Note: The existing rules allowing socket communication will be removed
once we migrate over to HIDL completely.
(cherry-pick of 2a9595ede2)
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
55 lines
2.2 KiB
Text
55 lines
2.2 KiB
Text
# HwBinder IPC from client to server
|
|
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
|
|
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
|
|
|
|
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
|
|
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
r_dir_file(hal_wifi_supplicant, sysfs_type)
|
|
r_dir_file(hal_wifi_supplicant, proc_net)
|
|
|
|
allow hal_wifi_supplicant kernel:system module_request;
|
|
allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
|
|
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
|
|
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
|
|
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
|
|
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
|
|
allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
|
|
allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
|
|
# TODO(b/35707797): Remove this socket access.
|
|
unix_socket_send(hal_wifi_supplicant, system_wpa, system_server)
|
|
|
|
# HIDL interface exposed by WPA.
|
|
hwbinder_use(hal_wifi_supplicant)
|
|
binder_call(hal_wifi_supplicant, system_server)
|
|
|
|
# Create a socket for receiving info from wpa
|
|
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
|
|
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
|
|
|
|
# TODO(b/34131400): Use hwbinder to access keystore.
|
|
use_keystore(hal_wifi_supplicant)
|
|
binder_use(hal_wifi_supplicant)
|
|
|
|
# WPA (wifi) has a restricted set of permissions from the default.
|
|
allow hal_wifi_supplicant keystore:keystore_key {
|
|
get
|
|
sign
|
|
verify
|
|
};
|
|
|
|
# Allow wpa_cli to work. wpa_cli creates a socket in
|
|
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
|
|
userdebug_or_eng(`
|
|
unix_socket_send(hal_wifi_supplicant, wpa, su)
|
|
')
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# wpa_supplicant should not trust any data from sdcards
|
|
neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
|
|
neverallow hal_wifi_supplicant_server sdcard_type:file *;
|