PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
pwn-14
android_system_sepolicy/public/hal_wifi_supplicant.te
Eric Biggers 448bd57181 Remove all module_request rules 
Starting in Android 11, Android unconditionally disables kernel module
autoloading (https://r.android.com/1254748) in such a way that even the
SELinux permission does not get checked.  Therefore, all the SELinux
rules that allow or dontaudit the module_request permission are no
longer necessary.  Their presence or absence makes no difference.

Bug: 130424539
Test: Booted Cuttlefish, no SELinux denials.
Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
2023-08-22 16:56:04 +00:00

39 lines
1.6 KiB
Plaintext
Raw Permalink Blame History

# HwBinder IPC from client to server
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net_type)
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
use_keystore(hal_wifi_supplicant)
binder_use(hal_wifi_supplicant_server)
# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
allow hal_wifi_supplicant wifi_key:keystore2_key {
get_info
use
};
###
### neverallow rules
###
# wpa_supplicant should not trust any data from sdcards
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
Reference in New Issue View Git Blame Copy Permalink