commit 7c539b1c968724de92d5a5070540fd4051eac67a
author Roshan Pius <rpius@google.com> Thu Jun 30 08:20:29 2016 -0700
committer Mitchell Wills <mwills@google.com> Fri Aug 26 13:13:51 2016 -0700
tree d9ea529bb1d7674ca897136a16967d8bdc1c7ac2
parent b83c8cb1390f978658ed352340868a1a9fb4b711

sepolicy: Add permissions for wpa_supplicant binder

Add the necessary permissions for |wpa_supplicant| to expose a binder
interface. This binder interface will be used by the newly added
|wificond| service (and potentially system_server).
|wpa_supplicant| also needs to invoke binder callbacks on |wificond|.

Changes in the CL:
1. Allow |wpa_supplicant| to register binder service.
2. Allow |wpa_supplicant| to invoke binder calls on |wificond|.
3. Allow |wificond| to invoke binder calls on |wpa_supplicant|

Denials:
06-30 08:14:42.788   400   400 E SELinux : avc:  denied  { add } for
service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=1

BUG:29877467
TEST: Compiled and ensured that the selinux denials are no longer
present in logs.
TEST: Ran integration test to find the service.

Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662
(cherry picked from commit 18883a93b795da6409beeddf2c6ce34ce8234cb0)

service.te

diff --git a/service.te b/service.te
index c891ca8..d72d655 100644
--- a/service.te
+++ b/service.te
@@ -120,3 +120,4 @@
 type wifi_service, app_api_service, system_server_service, service_manager_type;
 type wificond_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
+type wpa_supplicant_service, system_server_service, service_manager_type;

service_contexts

diff --git a/service_contexts b/service_contexts
index 218cb8f..2b7a1b1 100644
--- a/service_contexts
+++ b/service_contexts
@@ -145,4 +145,5 @@
 wifi                                      u:object_r:wifi_service:s0
 wificond                                  u:object_r:wificond_service:s0
 window                                    u:object_r:window_service:s0
+wpa                                       u:object_r:wpa_supplicant_service:s0
 *                                         u:object_r:default_android_service:s0

wificond.te

diff --git a/wificond.te b/wificond.te
index edc82e0..0da5f38 100644
--- a/wificond.te
+++ b/wificond.te
@@ -6,5 +6,6 @@
 
 binder_use(wificond)
 binder_call(wificond, system_server)
+binder_call(wificond, wpa)
 
 allow wificond wificond_service:service_manager { add find };

wpa.te

diff --git a/wpa.te b/wpa.te
index 46d975b..a49e041 100644
--- a/wpa.te
+++ b/wpa.te
@@ -17,7 +17,10 @@
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
 
+# Binder interface exposed by WPA.
 binder_use(wpa)
+binder_call(wpa, wificond)
+allow wpa wpa_supplicant_service:service_manager { add find };
 
 # Create a socket for receiving info from wpa
 type_transition wpa wifi_data_file:dir wpa_socket "sockets";