623975fa5a
Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
21 lines
768 B
Text
21 lines
768 B
Text
# wpa - wpa supplicant or equivalent
|
|
type wpa, domain;
|
|
permissive_or_unconfined(wpa)
|
|
type wpa_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(wpa)
|
|
allow wpa kernel:system module_request;
|
|
allow wpa self:capability { setuid net_admin setgid net_raw };
|
|
allow wpa cgroup:dir create_dir_perms;
|
|
allow wpa self:netlink_route_socket *;
|
|
allow wpa self:netlink_socket *;
|
|
allow wpa self:packet_socket *;
|
|
allow wpa self:udp_socket *;
|
|
allow wpa wifi_data_file:dir create_dir_perms;
|
|
allow wpa wifi_data_file:file create_file_perms;
|
|
unix_socket_send(wpa, system_wpa, system_server)
|
|
allow wpa random_device:chr_file r_file_perms;
|
|
|
|
# Create a socket for receiving info from wpa
|
|
type_transition wpa wifi_data_file:sock_file wpa_socket;
|
|
allow wpa wpa_socket:sock_file create_file_perms;
|