platform_system_sepolicy/private/hal_wifi_supplicant.te

# HwBinder IPC from client to server
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)

hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)

# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;

r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net_type)

allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };

use_keystore(hal_wifi_supplicant)
binder_use(hal_wifi_supplicant_server)

# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
allow hal_wifi_supplicant wifi_key:keystore2_key {
    get_info
    use
};

###
### neverallow rules
###

# wpa_supplicant should not trust any data from sdcards
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;