cec44a61ba
Adding back the binder permission to access keystore from
wpa_supplicant. This was removed by mistake in the previous patch
(commit#: 6caeac) to add hwbinder permissions.
Denials in logs:
11-03 14:37:54.831 9011 9011 I auditd : type=1400 audit(0.0:1490):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:54.831 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.838 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:55.834 9011 9011 I auditd : type=1400 audit(0.0:1491):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.838 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:56.834 9011 9011 I auditd : type=1400 audit(0.0:1492):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.839 9011 9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:57.834 9011 9011 I auditd : type=1400 audit(0.0:1493):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.834 9011 9011 W wpa_supplicant: type=1400
audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
Bug: 32655747
Test: Compiles. Will send for integration testing.
Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8
56 lines
1.6 KiB
Text
56 lines
1.6 KiB
Text
# wpa - wpa supplicant or equivalent
|
|
type wpa, domain, domain_deprecated;
|
|
type wpa_exec, exec_type, file_type;
|
|
|
|
net_domain(wpa)
|
|
# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
|
|
allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
r_dir_file(wpa, sysfs_type)
|
|
r_dir_file(wpa, proc_net)
|
|
|
|
allow wpa kernel:system module_request;
|
|
allow wpa self:capability { setuid net_admin setgid net_raw };
|
|
allow wpa cgroup:dir create_dir_perms;
|
|
allow wpa self:netlink_route_socket nlmsg_write;
|
|
allow wpa self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow wpa self:packet_socket create_socket_perms;
|
|
allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
|
|
allow wpa wifi_data_file:dir create_dir_perms;
|
|
allow wpa wifi_data_file:file create_file_perms;
|
|
unix_socket_send(wpa, system_wpa, system_server)
|
|
|
|
# Keystore access via binder.
|
|
binder_use(wpa)
|
|
|
|
# HIDL interface exposed by WPA.
|
|
hwbinder_use(wpa)
|
|
binder_call(wpa, wificond)
|
|
|
|
# Create a socket for receiving info from wpa
|
|
allow wpa wpa_socket:dir create_dir_perms;
|
|
allow wpa wpa_socket:sock_file create_file_perms;
|
|
|
|
use_keystore(wpa)
|
|
|
|
# WPA (wifi) has a restricted set of permissions from the default.
|
|
allow wpa keystore:keystore_key {
|
|
get
|
|
sign
|
|
verify
|
|
};
|
|
|
|
# Allow wpa_cli to work. wpa_cli creates a socket in
|
|
# /data/misc/wifi/sockets which wpa supplicant communicates with.
|
|
userdebug_or_eng(`
|
|
unix_socket_send(wpa, wpa, su)
|
|
')
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# wpa_supplicant should not trust any data from sdcards
|
|
neverallow wpa sdcard_type:dir ~getattr;
|
|
neverallow wpa sdcard_type:file *;
|