From 7ade68d797a83b8f4e5162f523f4caa0f246ff03 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 21 Feb 2014 11:28:20 -0500
Subject: [PATCH] Ensure that /data/misc/wifi/sockets is always labeled
 wpa_socket.

It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets
and re-create it at times, so make sure that it remains labeled correctly
when re-created in this manner via a name-based type transition rule.
Do the same for hostapd as it also has permissions for creating/removing
this directory.

<5>[83921.800071] type=1400 audit(1392997522.105:26): avc:  denied  { rmdir } for  pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir

We no longer need the type_transition for sock_file as it will inherit
the type from the parent directory which is set via restorecon_recursive
/data/misc/wifi/sockets or via type_transition, so drop it.

Change-Id: Iffa61c426783eb03205ba6964c624c6ecea32630
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 hostapd.te        | 1 +
 wpa_supplicant.te | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hostapd.te b/hostapd.te
index a5ed62a5b..e6e88e958 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -11,6 +11,7 @@ allow hostapd self:udp_socket { create ioctl };
 
 allow hostapd wifi_data_file:file rw_file_perms;
 allow hostapd wifi_data_file:dir create_dir_perms;
+type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
 allow hostapd wpa_socket:dir create_dir_perms;
 allow hostapd wpa_socket:sock_file create_file_perms;
 allow hostapd netd:fd use;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 1ebf55602..fd454bf95 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -16,8 +16,8 @@ unix_socket_send(wpa, system_wpa, system_server)
 allow wpa random_device:chr_file r_file_perms;
 
 # Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:sock_file wpa_socket;
-allow wpa wpa_socket:dir { rw_dir_perms setattr };
+type_transition wpa wifi_data_file:dir wpa_socket "sockets";
+allow wpa wpa_socket:dir create_dir_perms;
 allow wpa wpa_socket:sock_file create_file_perms;
 
 # Allow wpa_cli to work. wpa_cli creates a socket in
-- 
GitLab