Blame - public/hal_wifi_supplicant.te - android_system_sepolicy

blob: 8d2c0ea19c58b1194011bd85ef657688adfb8c23 [file] [log] [blame]

Roshan Pius	a976e64	2017-02-18 21:32:32 -0800	[diff] [blame^]	1	# HwBinder IPC from client to server
				2	binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
				3	binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
				4
				5	# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
				6	allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
				7
				8	r_dir_file(hal_wifi_supplicant, sysfs_type)
				9	r_dir_file(hal_wifi_supplicant, proc_net)
				10
				11	allow hal_wifi_supplicant kernel:system module_request;
				12	allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
				13	allow hal_wifi_supplicant cgroup:dir create_dir_perms;
				14	allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
				15	allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
				16	allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
				17	allow hal_wifi_supplicant self:packet_socket create_socket_perms;
				18	allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
				19	allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
				20	allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
				21	# TODO(b/35707797): Remove this socket access.
				22	unix_socket_send(hal_wifi_supplicant, system_wpa, system_server)
				23
				24	# HIDL interface exposed by WPA.
				25	hwbinder_use(hal_wifi_supplicant)
				26	binder_call(hal_wifi_supplicant, system_server)
				27
				28	# Create a socket for receiving info from wpa
				29	allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
				30	allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
				31
				32	# TODO(b/34131400): Use hwbinder to access keystore.
				33	use_keystore(hal_wifi_supplicant)
				34	binder_use(hal_wifi_supplicant)
				35
				36	# WPA (wifi) has a restricted set of permissions from the default.
				37	allow hal_wifi_supplicant keystore:keystore_key {
				38	get
				39	sign
				40	verify
				41	};
				42
				43	# Allow wpa_cli to work. wpa_cli creates a socket in
				44	# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
				45	userdebug_or_eng(`
				46	unix_socket_send(hal_wifi_supplicant, wpa, su)
				47	')
				48
				49	###
				50	### neverallow rules
				51	###
				52
				53	# wpa_supplicant should not trust any data from sdcards
				54	neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
				55	neverallow hal_wifi_supplicant_server sdcard_type:file *;