-
Roshan Pius authored
We're going to be using Android framework directly to invoke Wifi HIDL calls. So, change permissions appropriately. Bug: 33398154 Test: Verfied that framework is able to make HIDL calls using go/aog/310610. Change-Id: I4d0d88961753ad73f3876aec58b26b89486cc02a
02ed21e8
wpa.te 1.65 KiB
# wpa - wpa supplicant or equivalent
type wpa, domain, domain_deprecated;
type wpa_exec, exec_type, file_type;
net_domain(wpa)
# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(wpa, sysfs_type)
r_dir_file(wpa, proc_net)
allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
allow wpa self:netlink_route_socket nlmsg_write;
allow wpa self:netlink_socket create_socket_perms_no_ioctl;
allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;
allow wpa self:packet_socket create_socket_perms;
allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server)
# Keystore access via binder.
binder_use(wpa)
# HIDL interface exposed by WPA.
hwbinder_use(wpa)
binder_call(wpa, system_server)
# Create a socket for receiving info from wpa
allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;
use_keystore(wpa)
# WPA (wifi) has a restricted set of permissions from the default.
allow wpa keystore:keystore_key {
get
sign
verify
};
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with.
userdebug_or_eng(`
unix_socket_send(wpa, wpa, su)
')
###
### neverallow rules
###
# wpa_supplicant should not trust any data from sdcards
neverallow wpa sdcard_type:dir ~getattr;
neverallow wpa sdcard_type:file *;