platform_system_sepolicy/wpa.te
Stephen Smalley 423fd19d91 Update netlink socket classes.
Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 01d95c23ab)

Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114
2016-03-03 13:37:40 -08:00

48 lines
1.3 KiB
Text

# wpa - wpa supplicant or equivalent
type wpa, domain, domain_deprecated;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
net_domain(wpa)
allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
allow wpa self:netlink_route_socket nlmsg_write;
allow wpa self:netlink_socket create_socket_perms;
allow wpa self:netlink_generic_socket create_socket_perms;
allow wpa self:packet_socket create_socket_perms;
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server)
binder_use(wpa)
# Create a socket for receiving info from wpa
type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;
use_keystore(wpa)
# WPA (wifi) has a restricted set of permissions from the default.
allow wpa keystore:keystore_key {
get
sign
verify
};
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with.
userdebug_or_eng(`
unix_socket_send(wpa, wpa, su)
')
###
### neverallow rules
###
# wpa_supplicant should not trust any data from sdcards
neverallow wpa sdcard_type:dir ~getattr;
neverallow wpa sdcard_type:file *;