Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / eb5872ed2895130866a19e0ae8a30ea0dc909fe4^! / . / private
commiteb5872ed2895130866a19e0ae8a30ea0dc909fe4[log] [tgz]
authorGabriel Biren <gbiren@google.com>Thu Aug 15 22:29:02 2024 +0000
committerGabriel Biren <gbiren@google.com>Mon Nov 18 20:18:40 2024 +0000
tree06539a3e13cde19d54bda2e6f557e9f9f4774ab1
parent416f81ac7d8755f8835092aef7705bead7f5220e [diff]
Introduce Selinux policies for the mainline supplicant.

Aside from binder access, supplicant requires some
networking capabilities in order to work as expected.

Bug: 365585450
Test: Manual test - retrieve the mainline supplicant
      binder in frameworks/base, and call a test
      method using its AIDL interface
Change-Id: Id76fe09b2ecae758ed93b92d92020d45f19d2501

diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index e401588..0bf3f7e 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil

@@ -24,4 +24,5 @@
     sysfs_firmware_acpi_tables
     dynamic_instrumentation_service
     intrusion_detection_service
+    wifi_mainline_supplicant_service
   ))

diff --git a/private/file.te b/private/file.te
index 98fbd35..559b0fe 100644
--- a/private/file.te
+++ b/private/file.te

@@ -169,6 +169,9 @@
 # /data/misc/connectivityblobdb
 type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc/wifi/mainline_supplicant
+type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type;
+
 # Type for /mnt/pre_reboot_dexopt
 type pre_reboot_dexopt_file, file_type;
 

diff --git a/private/file_contexts b/private/file_contexts
index 20ef9b8..2350a7c 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -716,6 +716,7 @@
 /data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
 /data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
 /data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/mainline_supplicant(/.*)?  u:object_r:mainline_supplicant_data_file:s0
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0

diff --git a/private/service.te b/private/service.te
index 72949f9..bb24fd4 100644
--- a/private/service.te
+++ b/private/service.te

@@ -57,8 +57,9 @@
     type microfuchsia_service,          service_manager_type;
 ')
 
-type uce_service,                   service_manager_type;
-type wearable_sensing_service,      app_api_service, system_server_service, service_manager_type;
+type uce_service,                      service_manager_type;
+type wearable_sensing_service,         app_api_service, system_server_service, service_manager_type;
+type wifi_mainline_supplicant_service, service_manager_type;
 
 ###
 ### Neverallow rules

diff --git a/private/service_contexts b/private/service_contexts
index 1d18a46..e452172 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -514,5 +514,6 @@
 wifinl80211                               u:object_r:wifinl80211_service:s0
 wifiaware                                 u:object_r:wifiaware_service:s0
 wifirtt                                   u:object_r:rttmanager_service:s0
+wifi_mainline_supplicant                  u:object_r:wifi_mainline_supplicant_service:s0
 window                                    u:object_r:window_service:s0
 *                                         u:object_r:default_android_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index 6eb5b74..044edc1 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -304,6 +304,7 @@
 binder_call(system_server, logd)
 binder_call(system_server, wificond)
 binder_call(system_server, uprobestats)
+binder_call(system_server, wifi_mainline_supplicant)
 binder_service(system_server)
 
 # Use HALs
@@ -1023,6 +1024,7 @@
 userdebug_or_eng(`
   allow system_server profcollectd_service:service_manager find;
 ')
+allow system_server wifi_mainline_supplicant_service:service_manager find;
 
 add_service(system_server, batteryproperties_service)
 

diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
new file mode 100644
index 0000000..d6c7998
--- /dev/null
+++ b/private/wifi_mainline_supplicant.te

@@ -0,0 +1,31 @@
+type wifi_mainline_supplicant, domain, coredomain;
+type wifi_mainline_supplicant_exec, system_file_type, exec_type, file_type;
+
+binder_use(wifi_mainline_supplicant)
+init_daemon_domain(wifi_mainline_supplicant)
+add_service(wifi_mainline_supplicant, wifi_mainline_supplicant_service)
+
+allow wifi_mainline_supplicant self:global_capability_class_set { setuid setgid net_admin net_raw };
+allow wifi_mainline_supplicant proc_net:file rw_file_perms;
+allow wifi_mainline_supplicant sysfs_net:dir search;
+
+# Allow limited access to the parent directory /data/misc/wifi/
+allow wifi_mainline_supplicant wifi_data_file:dir { getattr search };
+
+# Create temporary socket files in /data/misc/wifi/mainline_supplicant/sockets
+allow wifi_mainline_supplicant mainline_supplicant_data_file:dir create_dir_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:file create_file_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:sock_file { create write setattr unlink };
+
+# UDP sockets
+allow wifi_mainline_supplicant self:udp_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:udp_socket ioctl { priv_sock_ioctls SIOCSIFFLAGS SIOCSIFHWADDR };
+
+# Packet sockets
+allow wifi_mainline_supplicant self:packet_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+# Netlink sockets
+allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
+allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;