hal_wifi: Allow wifi hal to access LOWI server
HAL wifi creates a LOWI client for accessing the LOWI server to share
wifi gscan results for location purposes.
Move all "location" access permissions from system_server to hal_wifi
since these were most likely added for the old wifi hal which was loaded
in system_server.
Denials:
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:97): avc: denied { search } for name="location" dev="sda35"
ino=3850313 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:98): avc: denied { write } for name="location-mq-s"
dev="sda35" ino=3850337 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=sock_file permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:99): avc: denied { connectto } for
path="/data/misc/location/mq/location-mq-s"
scontext=u:r:hal_wifi_default:s0 tcontext=u:r:location:s0
tclass=unix_stream_socket permissive=1
Bug: 35959128
Test: Device boots up and able to connect to wifi network.
Denials no longer seen. Previously some wifi HAL calls would take
a long time to complete because it tries to create a LOWI client for
every request and fail.
Change-Id: Ib465d0c97efbb1f1adb7ec0f2d499f46b6111419
diff --git a/sepolicy/hal_wifi.te b/sepolicy/hal_wifi.te
new file mode 100644
index 0000000..339379c
--- /dev/null
+++ b/sepolicy/hal_wifi.te
@@ -0,0 +1,5 @@
+# Allow wifi hal access to LOWI
+allow hal_wifi location:unix_stream_socket connectto;
+allow hal_wifi location_data_file:{ file fifo_file } create_file_perms;
+allow hal_wifi location_data_file:dir rw_dir_perms;
+allow hal_wifi location_data_file:sock_file create_file_perms;
diff --git a/sepolicy/location.te b/sepolicy/location.te
index 04880d1..210a03c 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -9,7 +9,7 @@
binder_call(location, system_server)
qmux_socket(location)
-allow location system_server:unix_stream_socket { read write };
+allow location hal_wifi:unix_stream_socket { read write };
allow location location_data_file:dir rw_dir_perms;
allow location location_data_file:file create_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 570eaba..8b0f1bf 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -19,12 +19,6 @@
allow system_server persist_file:dir search;
allow system_server persist_sensortool_file:file r_file_perms;
-# For location
-allow system_server location:unix_stream_socket connectto;
-allow system_server location_data_file:{ file fifo_file } create_file_perms;
-allow system_server location_data_file:dir rw_dir_perms;
-allow system_server location_data_file:sock_file create_file_perms;
-
# talk to perfd
allow system_server perfd_data_file:dir search;
allow system_server perfd_data_file:sock_file write;
