From d56bcb1c5452c8dcdda7e4ef5d0f44b91b6bb08b Mon Sep 17 00:00:00 2001
From: Ningyuan Wang <nywang@google.com>
Date: Fri, 3 Jun 2016 10:08:56 -0700
Subject: [PATCH] sepolicy: add sepolicy binder support for wificond

This allows wificond to publish binder interface using
service manager.

Denial warnings:

wificond: type=1400 audit(0.0:8): avc:
denied { call } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

wificond: type=1400 audit(0.0:9): avc:
denied { transfer } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

servicemanager: type=1400
audit(0.0:10): avc: denied { search } for name="6085" dev="proc"
ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=dir permissive=1

servicemanager: type=1400
audit(0.0:11): avc: denied { read } for name="current" dev="proc"
ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=file permissive=1

servicemanager: type=1400
audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current"
dev="proc" ino=40641 scontext=u:r:servicemanager:s0
tcontext=u:r:wificond:s0 tclass=file permissive=1

servicemanager: type=1400
audit(0.0:13): avc: denied { getattr } for
scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process
permissive=1

SELinux : avc:  denied  { add } for
service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0
tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1

BUG=28867093
TEST=compile
TEST=use a client to call wificond service through binder

Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f
---
 service.te       | 1 +
 service_contexts | 1 +
 wificond.te      | 5 +++++
 3 files changed, 7 insertions(+)

diff --git a/service.te b/service.te
index 6b5838c5b..c891ca8e0 100644
--- a/service.te
+++ b/service.te
@@ -118,4 +118,5 @@ type webviewupdate_service, app_api_service, system_server_service, service_mana
 type wifip2p_service, app_api_service, system_server_service, service_manager_type;
 type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wificond_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 0ddbdc171..218cb8f9f 100644
--- a/service_contexts
+++ b/service_contexts
@@ -143,5 +143,6 @@ webviewupdate                             u:object_r:webviewupdate_service:s0
 wifip2p                                   u:object_r:wifip2p_service:s0
 wifiscanner                               u:object_r:wifiscanner_service:s0
 wifi                                      u:object_r:wifi_service:s0
+wificond                                  u:object_r:wificond_service:s0
 window                                    u:object_r:window_service:s0
 *                                         u:object_r:default_android_service:s0
diff --git a/wificond.te b/wificond.te
index 11afffe66..edc82e0d5 100644
--- a/wificond.te
+++ b/wificond.te
@@ -3,3 +3,8 @@ type wificond, domain;
 type wificond_exec, exec_type, file_type;
 
 init_daemon_domain(wificond)
+
+binder_use(wificond)
+binder_call(wificond, system_server)
+
+allow wificond wificond_service:service_manager { add find };
-- 
GitLab