From c8bd93d7e86647ad6880d460f8aa9d24088fad58 Mon Sep 17 00:00:00 2001
From: Robert Quattlebaum <rquattle@google.com>
Date: Fri, 4 Aug 2017 14:51:36 -0700
Subject: [PATCH] lowpan: Add wpantund to SEPolicy
Bug: b/64399219
Test: Manual
Change-Id: I4f6c7e4e3339ae95e43299bf364edff40d07c796
---
private/compat/26.0/26.0.ignore.cil | 6 +++++-
private/file_contexts | 1 +
private/system_server.te | 1 +
private/wpantund.te | 3 +++
public/service.te | 1 +
public/wpantund.te | 22 ++++++++++++++++++++++
6 files changed, 33 insertions(+), 1 deletion(-)
create mode 100644 private/wpantund.te
create mode 100644 public/wpantund.te
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index c64c86618..1f2d82348 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -33,7 +33,11 @@
thermalserviced_tmpfs
timezone_service
tombstoned_java_trace_socket
- vold_service))
+ vold_service
+ wpantund
+ wpantund_exec
+ wpantund_service
+ wpantund_tmpfs))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
diff --git a/private/file_contexts b/private/file_contexts
index ffc601cc5..0752a3daa 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -260,6 +260,7 @@
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
+/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 109587e28..62bc129eb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -180,6 +180,7 @@ binder_call(system_server, incidentd)
binder_call(system_server, netd)
binder_call(system_server, vold)
binder_call(system_server, wificond)
+binder_call(system_server, wpantund)
binder_service(system_server)
# Use HALs
diff --git a/private/wpantund.te b/private/wpantund.te
new file mode 100644
index 000000000..e91662cb7
--- /dev/null
+++ b/private/wpantund.te
@@ -0,0 +1,3 @@
+typeattribute wpantund coredomain;
+
+init_daemon_domain(wpantund)
diff --git a/public/service.te b/public/service.te
index 068ea4e78..fe26020d9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -150,3 +150,4 @@ type wifi_service, app_api_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
+type wpantund_service, system_api_service, service_manager_type;
diff --git a/public/wpantund.te b/public/wpantund.te
new file mode 100644
index 000000000..2993e6d6e
--- /dev/null
+++ b/public/wpantund.te
@@ -0,0 +1,22 @@
+type wpantund, domain;
+type wpantund_exec, exec_type, file_type;
+
+hal_client_domain(wpantund, hal_lowpan)
+net_domain(wpantund)
+
+binder_use(wpantund)
+binder_call(wpantund, system_server)
+
+# wpantund needs to be able to check in with the lowpan_service
+allow wpantund lowpan_service:service_manager find;
+
+# create sockets to set interfaces up and down, add multicast groups, etc.
+allow wpantund self:udp_socket create_socket_perms;
+
+# setting interface state up/down and changing MTU are privileged ioctls
+allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+# Allow us to bring up a TUN network interface.
+allow wpantund tun_device:chr_file rw_file_perms;
+allow wpantund self:capability { net_admin net_raw };
+allow wpantund self:tun_socket create;
--
GitLab