wifi: Add sepolicy for LOWI tools am: 374602a559

Original change: https://googleplex-android-review.googlesource.com/c/device/google/lynx-sepolicy/+/17055632 Change-Id: Ida6ded1365a507b07eb92f7eeabf619cc501e932
2022-03-16 06:42:05 +00:00
parent cb1d5fab40 374602a559
commit ea39396cd5
9 changed files with 85 additions and 0 deletions
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -0,0 +1,5 @@
+type vendor_location_data_file, file_type, data_file_type;
+type vendor_location_socket, file_type;
+type vendor_wifi_vendor_data_file, file_type, data_file_type;
+type vendor_wifihal_socket, file_type;
+type vendor_location_sysfs, fs_type, sysfs_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,4 +9,9 @@
 /dev/lwis-sensor-imx787                                                     u:object_r:lwis_device:s0

 # Wifi
+/data/vendor/wifi(/.*)?                 u:object_r:vendor_wifi_vendor_data_file:s0
 /dev/wlan                               u:object_r:vendor_wlan_device:s0
+/dev/socket/location(/.*)?              u:object_r:vendor_location_socket:s0
+/dev/socket/wifihal(/.*)?               u:object_r:vendor_wifihal_socket:s0
+/vendor/bin/loc_launcher                u:object_r:vendor_location_exec:s0
+/vendor/bin/lowi-server                 u:object_r:lowi_server_exec:s0
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -1,2 +1,5 @@
 # Haptics
 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a             u:object_r:sysfs_vibrator:s0
+
+# Wifi
+genfscon sysfs /devices/soc0/soc_id      u:object_r:vendor_location_sysfs:s0
--- a/vendor/hal_wifi_ext.te
+++ b/vendor/hal_wifi_ext.te
@@ -1 +1,12 @@
 allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_ext vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_ext lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms;
--- a/vendor/hal_wifi_hostapd.te
+++ b/vendor/hal_wifi_hostapd.te
@@ -0,0 +1 @@
+allow hal_wifi_hostapd_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
--- a/vendor/hal_wifi_supplicant.te
+++ b/vendor/hal_wifi_supplicant.te
@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
--- a/vendor/ioctl_macros
+++ b/vendor/ioctl_macros
@@ -0,0 +1,9 @@
+define(`lowi_server_ioctls', `{
+SIOCGIFINDEX
+SIOCGIFHWADDR
+SIOCGIFFLAGS
+SIOCIWFIRSTPRIV_05
+SIOCIWFIRSTPRIV_11
+SIOCIWFIRSTPRIV_13
+SIOCDEVPRIVATE_1
+}')
--- a/vendor/lowi_server.te
+++ b/vendor/lowi_server.te
@@ -0,0 +1,35 @@
+# lowi_server service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type lowi_server, domain;
+type lowi_server_exec, exec_type, vendor_file_type, file_type;
+
+hwbinder_use(lowi_server)
+allow lowi_server self:udp_socket create_socket_perms;
+allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl;
+
+## lowi-server
+##############
+allow lowi_server vendor_location:fd use;
+allow lowi_server vendor_location:unix_dgram_socket sendto;
+
+# some additional network access
+allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allowxperm lowi_server self:udp_socket ioctl lowi_server_ioctls;
+
+# /data/vendor/wifi
+allow lowi_server vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# /data/vendor/wifi/wpa
+allow lowi_server wpa_data_file:dir rw_dir_perms;
+allow lowi_server wpa_data_file:sock_file create_file_perms;
+allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto;
+
+# /dev/socket/wifihal
+allow lowi_server vendor_wifihal_socket:dir rw_dir_perms;
+allow lowi_server vendor_wifihal_socket:sock_file create_file_perms;
+allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto;
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext);
+
+# /dev/socket/vendor_location
+allow lowi_server vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow lowi_server vendor_location_socket:dir rw_dir_perms;
--- a/vendor/vendor_location.te
+++ b/vendor/vendor_location.te
@@ -0,0 +1,15 @@
+# loc_launcher service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type vendor_location, domain;
+type vendor_location_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_location)
+
+# execute permission for vendor_location daemons in /vendor/bin/
+domain_auto_trans(vendor_location, lowi_server_exec, lowi_server)
+
+# /dev/socket/vendor_location
+allow vendor_location vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow vendor_location vendor_location_socket:dir rw_dir_perms;
+
+# /sys/devices/soc0/soc_id
+allow vendor_location vendor_location_sysfs:file create_file_perms;
				`@@ -0,0 +1 @@`
				`allow hal_wifi_hostapd_default vendor_wifi_vendor_data_file:dir rw_dir_perms;`
				`@@ -0,0 +1 @@`
				`allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms;`