| # wpa - wpa supplicant or equivalent |
| type wpa, domain, domain_deprecated; |
| type wpa_exec, exec_type, file_type; |
| |
| init_daemon_domain(wpa) |
| |
| net_domain(wpa) |
| # in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls. |
| allowxperm wpa self:udp_socket ioctl priv_sock_ioctls; |
| |
| r_dir_file(wpa, sysfs_type) |
| r_dir_file(wpa, proc_net) |
| |
| allow wpa kernel:system module_request; |
| allow wpa self:capability { setuid net_admin setgid net_raw }; |
| allow wpa cgroup:dir create_dir_perms; |
| allow wpa self:netlink_route_socket nlmsg_write; |
| allow wpa self:netlink_socket create_socket_perms_no_ioctl; |
| allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl; |
| allow wpa self:packet_socket create_socket_perms; |
| allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls }; |
| allow wpa wifi_data_file:dir create_dir_perms; |
| allow wpa wifi_data_file:file create_file_perms; |
| unix_socket_send(wpa, system_wpa, system_server) |
| |
| # Binder interface exposed by WPA. |
| binder_use(wpa) |
| binder_call(wpa, wificond) |
| allow wpa wpa_supplicant_service:service_manager { add find }; |
| |
| # Create a socket for receiving info from wpa |
| type_transition wpa wifi_data_file:dir wpa_socket "sockets"; |
| allow wpa wpa_socket:dir create_dir_perms; |
| allow wpa wpa_socket:sock_file create_file_perms; |
| |
| use_keystore(wpa) |
| |
| # WPA (wifi) has a restricted set of permissions from the default. |
| allow wpa keystore:keystore_key { |
| get |
| sign |
| verify |
| }; |
| |
| # Allow wpa_cli to work. wpa_cli creates a socket in |
| # /data/misc/wifi/sockets which wpa supplicant communicates with. |
| userdebug_or_eng(` |
| unix_socket_send(wpa, wpa, su) |
| ') |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # wpa_supplicant should not trust any data from sdcards |
| neverallow wpa sdcard_type:dir ~getattr; |
| neverallow wpa sdcard_type:file *; |