623975fa5a
Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
23 lines
958 B
Plaintext
23 lines
958 B
Plaintext
# userspace wifi access points
|
|
type hostapd, domain;
|
|
permissive_or_unconfined(hostapd)
|
|
type hostapd_exec, exec_type, file_type;
|
|
|
|
allow hostapd self:capability { net_admin net_raw setuid setgid };
|
|
allow hostapd self:netlink_socket create_socket_perms;
|
|
allow hostapd self:packet_socket { create write read };
|
|
allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
|
|
allow hostapd self:udp_socket { create ioctl };
|
|
|
|
allow hostapd wifi_data_file:file rw_file_perms;
|
|
allow hostapd wifi_data_file:dir create_dir_perms;
|
|
allow hostapd wifi_data_file:sock_file { create setattr write unlink };
|
|
|
|
allow hostapd netd:fd use;
|
|
allow hostapd netd:udp_socket { read write };
|
|
allow hostapd netd:netlink_kobject_uevent_socket { read write };
|
|
allow hostapd netd:netlink_nflog_socket { read write };
|
|
allow hostapd netd:netlink_route_socket { read write };
|
|
allow hostapd netd:unix_stream_socket { read write };
|
|
allow hostapd netd:fifo_file { read write };
|