Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a976e64d89575fb93b9fb1ca47c6aefc496e91b9^! / . / public / hal_wifi_supplicant.te
commita976e64d89575fb93b9fb1ca47c6aefc496e91b9[log] [tgz]
authorRoshan Pius <rpius@google.com>Sat Feb 18 21:32:32 2017 -0800
committerRoshan Pius <rpius@google.com>Tue Mar 07 01:34:28 2017 +0000
tree86eceabaa98f9ff5159ef6161ad25bd16e3f5e57
parent32cc614866db08b0c238c77a2e876a092a85fdec [diff] [blame]
sepolicy: Make wpa_supplicant a HIDL service

Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ede2c9a224686e619c2ee5c976dd324ac0) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615

diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
new file mode 100644
index 0000000..8d2c0ea
--- /dev/null
+++ b/public/hal_wifi_supplicant.te

@@ -0,0 +1,55 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
+binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(hal_wifi_supplicant, sysfs_type)
+r_dir_file(hal_wifi_supplicant, proc_net)
+
+allow hal_wifi_supplicant kernel:system module_request;
+allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
+allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:packet_socket create_socket_perms;
+allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+# TODO(b/35707797): Remove this socket access.
+unix_socket_send(hal_wifi_supplicant, system_wpa, system_server)
+
+# HIDL interface exposed by WPA.
+hwbinder_use(hal_wifi_supplicant)
+binder_call(hal_wifi_supplicant, system_server)
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
+
+# TODO(b/34131400): Use hwbinder to access keystore.
+use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant)
+
+# WPA (wifi) has a restricted set of permissions from the default.
+allow hal_wifi_supplicant keystore:keystore_key {
+    get
+    sign
+    verify
+};
+
+# Allow wpa_cli to work. wpa_cli creates a socket in
+# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
+userdebug_or_eng(`
+  unix_socket_send(hal_wifi_supplicant, wpa, su)
+')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_supplicant_server sdcard_type:file *;