1 # wpa - wpa supplicant or equivalent 2 type wpa, domain; 3 type wpa_exec, exec_type, file_type; 4 5 init_daemon_domain(wpa) 6 7 net_domain(wpa) 8 9 allow wpa kernel:system module_request; 10 allow wpa self:capability { setuid net_admin setgid net_raw }; 11 allow wpa cgroup:dir create_dir_perms; 12 allow wpa self:netlink_route_socket nlmsg_write; 13 allow wpa self:netlink_socket create_socket_perms; 14 allow wpa self:packet_socket create_socket_perms; 15 allow wpa wifi_data_file:dir create_dir_perms; 16 allow wpa wifi_data_file:file create_file_perms; 17 unix_socket_send(wpa, system_wpa, system_server) 18 19 binder_use(wpa) 20 21 # Create a socket for receiving info from wpa 22 type_transition wpa wifi_data_file:dir wpa_socket "sockets"; 23 allow wpa wpa_socket:dir create_dir_perms; 24 allow wpa wpa_socket:sock_file create_file_perms; 25 26 use_keystore(wpa) 27 28 # WPA (wifi) has a restricted set of permissions from the default. 29 allow wpa keystore:keystore_key { 30 get 31 sign 32 verify 33 }; 34 35 # Allow wpa_cli to work. wpa_cli creates a socket in 36 # /data/misc/wifi/sockets which wpa supplicant communicates with. 37 userdebug_or_eng(` 38 unix_socket_send(wpa, wpa, su) 39 ') 40 41 ### 42 ### neverallow rules 43 ### 44 45 # wpa_supplicant should not trust any data from sdcards 46 neverallow wpa sdcard_type:dir ~getattr; 47 neverallow wpa sdcard_type:file *; 48
