Skip to content
Snippets Groups Projects
Normal view Permalink
hostapd.te 1.29 KiB
Newer Older
  • Learn to ignore specific revisions
    • Stephen Smalley's avatar
    Confine hostapd, but leave it permissive for now.  
    Stephen Smalley committed
    1 
    # userspace wifi access points
    Christopher Wiley's avatar
    SEPolicy to start hostapd via init  
    Christopher Wiley committed
    2 
    type hostapd, domain;
    Sandeep Patil's avatar
    sepolicy: make exec_types in /vendor a subset of vendor_file_type  
    Sandeep Patil committed
    3 
    type hostapd_exec, exec_type, vendor_file_type, file_type;
    Nick Kralevich's avatar
    Enable SELinux protections for netd.
    Nick Kralevich committed
    4
    Po-Chien Hsueh's avatar
    sepolicy: Move hostapd to vendor  
    Po-Chien Hsueh committed
    5 
    init_daemon_domain(hostapd)
    dcashman's avatar
    Split general policy into public and private components.  
    dcashman committed
    6
    Stephen Smalley's avatar
    Clean up socket rules.  
    Stephen Smalley committed
    7 
    net_domain(hostapd)
    Christopher Wiley's avatar
    SEPolicy to start hostapd via init  
    Christopher Wiley committed
    8 
    allow hostapd self:capability { net_admin net_raw };
    Stephen Smalley's avatar
    Clean up socket rules.  
    Stephen Smalley committed
    9
    Christopher Wiley's avatar
    SEPolicy to start hostapd via init  
    Christopher Wiley committed
    10 11 12 13 14 15 16 17 18 
    # hostapd learns about its network interface via sysfs.
allow hostapd sysfs:file r_file_perms;
# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
allow hostapd sysfs:lnk_file r_file_perms;

# Allow hostapd to access /proc/net/psched
allow hostapd proc_net:file { getattr open read };

# Various socket permissions.
    Jeff Vander Stoep's avatar
    Enforce ioctl command whitelisting on all sockets  
    Jeff Vander Stoep committed
    19 20 21 22 
    allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
    Stephen Smalley's avatar
    Clean up socket rules.  
    Stephen Smalley committed
    23 
    allow hostapd self:netlink_route_socket nlmsg_write;
    Stephen Smalley's avatar
    Confine hostapd, but leave it permissive for now.  
    Stephen Smalley committed
    24
    Christopher Wiley's avatar
    SEPolicy to start hostapd via init  
    Christopher Wiley committed
    25 26 
    # hostapd can read and write WiFi related data and configuration.
# For example, the entropy file is periodically updated.
    Stephen Smalley's avatar
    Confine hostapd, but leave it permissive for now.  
    Stephen Smalley committed
    27 
    allow hostapd wifi_data_file:file rw_file_perms;
    Christopher Wiley's avatar
    SEPolicy to start hostapd via init  
    Christopher Wiley committed
    28 29 
    r_dir_file(hostapd, wifi_data_file)
    Christopher Wiley's avatar
    Give hostapd permissions to use its control socket  
    Christopher Wiley committed
    30 31 32 
    # hostapd wants to create the directory holding its control socket.
allow hostapd hostapd_socket:dir create_dir_perms;
# hostapd needs to create, bind to, read, and write its control socket.
    Christopher Wiley's avatar
    SEPolicy to start hostapd via init  
    Christopher Wiley committed
    33 
    allow hostapd hostapd_socket:sock_file create_file_perms;