aboutsummaryrefslogtreecommitdiffstats
path: root/target
diff options
context:
space:
mode:
authorBo Hu <bohu@google.com>2018-06-13 05:18:47 (GMT)
committerAndroid (Google) Code Review <android-gerrit@google.com>2018-06-13 05:18:47 (GMT)
commit941f8e102c024f884617baaa9471a27c55bdccb0 (patch)
tree2c92bb976d34a64fde9587fd60cdfe2a767cb924 /target
parent667685301600040c0006752bbf7ec0335efa9a56 (diff)
parenta2d754ce3a611bcd51945e17642cb52e920cc0ad (diff)
downloadandroid_build-941f8e102c024f884617baaa9471a27c55bdccb0.zip
android_build-941f8e102c024f884617baaa9471a27c55bdccb0.tar.gz
android_build-941f8e102c024f884617baaa9471a27c55bdccb0.tar.bz2
Merge "Support new hostapd build target without HIDL" into pi-dev
Diffstat (limited to 'target')
-rw-r--r--target/board/generic/sepolicy/execns.te13
-rw-r--r--target/board/generic/sepolicy/file_contexts1
-rw-r--r--target/board/generic/sepolicy/hostapd_nohidl.te16
3 files changed, 20 insertions, 10 deletions
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
index 9675a99..dc6c424 100644
--- a/target/board/generic/sepolicy/execns.te
+++ b/target/board/generic/sepolicy/execns.te
@@ -6,7 +6,7 @@ init_daemon_domain(execns)
allow execns varrun_file:dir search;
allow execns varrun_file:file r_file_perms;
-allow execns self:capability sys_admin;
+allow execns self:capability { sys_admin setuid setgid };
allow execns nsfs:file { open read };
#Allow execns itself to be run by init in its own domain
@@ -18,15 +18,8 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
# Allow dhcpserver to be run by execns in its own domain
domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
-# Rules to allow execution of hostapd and allow it to run
-allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
-allow execns self:capability { net_admin net_raw };
-allow execns self:netlink_generic_socket { bind create getattr read setopt write };
-allow execns self:netlink_route_socket { bind create read write nlmsg_write };
-allow execns execns:udp_socket { create ioctl };
-allow execns self:packet_socket { create setopt };
-allow execns sysfs_net:dir { search };
-allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
+# Allow hostapd_nohidl to be run by execns in its own domain
+domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
# Allow execns to read createns proc file to get the namespace file
allow execns createns:file read;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index 73fe752..7cd79fe 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -24,6 +24,7 @@
/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
+/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
diff --git a/target/board/generic/sepolicy/hostapd_nohidl.te b/target/board/generic/sepolicy/hostapd_nohidl.te
new file mode 100644
index 0000000..add648a
--- /dev/null
+++ b/target/board/generic/sepolicy/hostapd_nohidl.te
@@ -0,0 +1,16 @@
+type hostapd_nohidl, domain;
+type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hostapd_nohidl)
+net_domain(hostapd_nohidl)
+
+allow hostapd_nohidl execns:fd use;
+
+allow hostapd_nohidl self:capability { net_admin net_raw };
+allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
+allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
+allow hostapd_nohidl self:packet_socket { create setopt };
+allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
+
+# hostapd will attempt to search sysfs but it's not needed and will spam the log
+dontaudit hostapd_nohidl sysfs_net:dir search;