public/wpa.te - platform/system/sepolicy - Git at Google

 # wpa - wpa supplicant or equivalent
 type wpa, domain, domain_deprecated;
 type wpa_exec, exec_type, file_type;

 net_domain(wpa)
 # in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
 allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;

 r_dir_file(wpa, sysfs_type)
 r_dir_file(wpa, proc_net)

 allow wpa kernel:system module_request;
 allow wpa self:capability { setuid net_admin setgid net_raw };
 allow wpa cgroup:dir create_dir_perms;
 allow wpa self:netlink_route_socket nlmsg_write;
 allow wpa self:netlink_socket create_socket_perms_no_ioctl;
 allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow wpa self:packet_socket create_socket_perms;
 allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)

 # Keystore access via binder.
 binder_use(wpa)

 # HIDL interface exposed by WPA.
 hwbinder_use(wpa)
 binder_call(wpa, wificond)

 # Create a socket for receiving info from wpa
 allow wpa wpa_socket:dir create_dir_perms;
 allow wpa wpa_socket:sock_file create_file_perms;

 use_keystore(wpa)

 # WPA (wifi) has a restricted set of permissions from the default.
 allow wpa keystore:keystore_key {
 	get
 	sign
 	verify
 };

 # Allow wpa_cli to work. wpa_cli creates a socket in
 # /data/misc/wifi/sockets which wpa supplicant communicates with.
 userdebug_or_eng(`
   unix_socket_send(wpa, wpa, su)
 ')

 ###
 ### neverallow rules
 ###

 # wpa_supplicant should not trust any data from sdcards
 neverallow wpa sdcard_type:dir ~getattr;
 neverallow wpa sdcard_type:file *;
	# wpa - wpa supplicant or equivalent
	type wpa, domain, domain_deprecated;
	type wpa_exec, exec_type, file_type;

	net_domain(wpa)
	# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
	allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;

	r_dir_file(wpa, sysfs_type)
	r_dir_file(wpa, proc_net)

	allow wpa kernel:system module_request;
	allow wpa self:capability { setuid net_admin setgid net_raw };
	allow wpa cgroup:dir create_dir_perms;
	allow wpa self:netlink_route_socket nlmsg_write;
	allow wpa self:netlink_socket create_socket_perms_no_ioctl;
	allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;
	allow wpa self:packet_socket create_socket_perms;
	allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
	allow wpa wifi_data_file:dir create_dir_perms;
	allow wpa wifi_data_file:file create_file_perms;
	unix_socket_send(wpa, system_wpa, system_server)

	# Keystore access via binder.
	binder_use(wpa)

	# HIDL interface exposed by WPA.
	hwbinder_use(wpa)
	binder_call(wpa, wificond)

	# Create a socket for receiving info from wpa
	allow wpa wpa_socket:dir create_dir_perms;
	allow wpa wpa_socket:sock_file create_file_perms;

	use_keystore(wpa)

	# WPA (wifi) has a restricted set of permissions from the default.
	allow wpa keystore:keystore_key {
	get
	sign
	verify
	};

	# Allow wpa_cli to work. wpa_cli creates a socket in
	# /data/misc/wifi/sockets which wpa supplicant communicates with.
	userdebug_or_eng(`
	unix_socket_send(wpa, wpa, su)
	')

	###
	### neverallow rules
	###

	# wpa_supplicant should not trust any data from sdcards
	neverallow wpa sdcard_type:dir ~getattr;
	neverallow wpa sdcard_type:file *;