tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/hal_wifi_hostapd.te
Roshan Pius 5bca3e860d sepolicy(hostapd): Add a HIDL interface for hostapd 
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
2018-01-12 14:05:38 -08:00

28 lines
1.2 KiB
Text
Raw Blame History

# HwBinder IPC from client to server
binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
allow hal_wifi_hostapd_server sysfs_net:dir search;
# Allow hal_wifi_hostapd to access /proc/net/psched
allow hal_wifi_hostapd_server proc_net:file { getattr open read };
# Various socket permissions.
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
###
### neverallow rules
###
# hal_wifi_hostapd should not trust any data from sdcards
neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
neverallow hal_wifi_hostapd_server sdcard_type:file *;
Reference in a new issue View git blame Copy permalink