| # wpa supplicant or equivalent |
| type hal_wifi_supplicant_default, domain; |
| hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant) |
| type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type; |
| init_daemon_domain(hal_wifi_supplicant_default) |
| |
| net_domain(hal_wifi_supplicant_default) |
| # Create a socket for receiving info from wpa |
| type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets"; |
| |
| # Allow wpa_supplicant to configure nl80211 |
| allow hal_wifi_supplicant_default proc_net_type:file write; |
| |
| # Allow wpa_supplicant to talk to Wifi Keystore HwBinder service. |
| hwbinder_use(hal_wifi_supplicant_default) |
| allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find; |
| binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server) |
| |
| allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms; |
| allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms; |
| allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms; |
| |
| # Write to security logs for audit. |
| get_prop(hal_wifi_supplicant_default, device_logging_prop) |
| |
| # Devices upgrading to P may grant this permission in device-specific |
| # policy along with the data_between_core_and_vendor_violators |
| # attribute needed for an exemption. However, devices that launch with |
| # P should use /data/vendor/wifi, which is already granted in core |
| # policy. This is dontaudited here to avoid conditional |
| # device-specific behavior in wpa_supplicant. |
| dontaudit hal_wifi_supplicant_default wifi_data_file:dir search; |
| |
| # Allow wpa supplicant to access Netlink Interceptor |
| hal_client_domain(hal_wifi_supplicant_default, hal_nlinterceptor) |