Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / eb5872ed2895130866a19e0ae8a30ea0dc909fe4^! / . / private / wifi_mainline_supplicant.te
commiteb5872ed2895130866a19e0ae8a30ea0dc909fe4[log] [tgz]
authorGabriel Biren <gbiren@google.com>Thu Aug 15 22:29:02 2024 +0000
committerGabriel Biren <gbiren@google.com>Mon Nov 18 20:18:40 2024 +0000
tree06539a3e13cde19d54bda2e6f557e9f9f4774ab1
parent416f81ac7d8755f8835092aef7705bead7f5220e [diff] [blame]
Introduce Selinux policies for the mainline supplicant.

Aside from binder access, supplicant requires some
networking capabilities in order to work as expected.

Bug: 365585450
Test: Manual test - retrieve the mainline supplicant
      binder in frameworks/base, and call a test
      method using its AIDL interface
Change-Id: Id76fe09b2ecae758ed93b92d92020d45f19d2501

diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
new file mode 100644
index 0000000..d6c7998
--- /dev/null
+++ b/private/wifi_mainline_supplicant.te

@@ -0,0 +1,31 @@
+type wifi_mainline_supplicant, domain, coredomain;
+type wifi_mainline_supplicant_exec, system_file_type, exec_type, file_type;
+
+binder_use(wifi_mainline_supplicant)
+init_daemon_domain(wifi_mainline_supplicant)
+add_service(wifi_mainline_supplicant, wifi_mainline_supplicant_service)
+
+allow wifi_mainline_supplicant self:global_capability_class_set { setuid setgid net_admin net_raw };
+allow wifi_mainline_supplicant proc_net:file rw_file_perms;
+allow wifi_mainline_supplicant sysfs_net:dir search;
+
+# Allow limited access to the parent directory /data/misc/wifi/
+allow wifi_mainline_supplicant wifi_data_file:dir { getattr search };
+
+# Create temporary socket files in /data/misc/wifi/mainline_supplicant/sockets
+allow wifi_mainline_supplicant mainline_supplicant_data_file:dir create_dir_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:file create_file_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:sock_file { create write setattr unlink };
+
+# UDP sockets
+allow wifi_mainline_supplicant self:udp_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:udp_socket ioctl { priv_sock_ioctls SIOCSIFFLAGS SIOCSIFHWADDR };
+
+# Packet sockets
+allow wifi_mainline_supplicant self:packet_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+# Netlink sockets
+allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
+allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;