2ee66e7d14
We install all default hal implementations in /vendor/bin/hw along with a few domains that are defined in vendor policy and installed in /vendor. These files MUST be a subset of the global 'vendor_file_type' which is used to address *all files installed in /vendor* throughout the policy. Bug: 36463595 Test: Boot sailfish without any new denials Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41 Signed-off-by: Sandeep Patil <sspatil@google.com>
38 lines
1.4 KiB
Plaintext
38 lines
1.4 KiB
Plaintext
# userspace wifi access points
|
|
type hostapd, domain;
|
|
type hostapd_exec, exec_type, vendor_file_type, file_type;
|
|
|
|
init_daemon_domain(hostapd)
|
|
|
|
net_domain(hostapd)
|
|
allow hostapd self:capability { net_admin net_raw };
|
|
|
|
# hostapd learns about its network interface via sysfs.
|
|
allow hostapd sysfs:file r_file_perms;
|
|
# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
|
|
allow hostapd sysfs:lnk_file r_file_perms;
|
|
|
|
# Allow hostapd to access /proc/net/psched
|
|
allow hostapd proc_net:file { getattr open read };
|
|
|
|
# Various socket permissions.
|
|
allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
|
|
allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
|
|
allow hostapd self:netlink_route_socket nlmsg_write;
|
|
|
|
# hostapd can read and write WiFi related data and configuration.
|
|
# For example, the entropy file is periodically updated.
|
|
allow hostapd wifi_data_file:file rw_file_perms;
|
|
r_dir_file(hostapd, wifi_data_file)
|
|
|
|
# hostapd wants to create the directory holding its control socket.
|
|
allow hostapd hostapd_socket:dir create_dir_perms;
|
|
# hostapd needs to create, bind to, read, and write its control socket.
|
|
allow hostapd hostapd_socket:sock_file create_file_perms;
|
|
|
|
# TODO (b/36646171) Move hostapd's data access to /data/vendor
|
|
# Remove coredata_in_vendor_violators attribute.
|
|
typeattribute hostapd coredata_in_vendor_violators;
|