From 18883a93b795da6409beeddf2c6ce34ce8234cb0 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Thu, 30 Jun 2016 08:20:29 -0700
Subject: [PATCH] sepolicy: Add permissions for wpa_supplicant binder

Add the necessary permissions for |wpa_supplicant| to expose a binder
interface. This binder interface will be used by the newly added
|wificond| service (and potentially system_server).
|wpa_supplicant| also needs to invoke binder callbacks on |wificond|.

Changes in the CL:
1. Allow |wpa_supplicant| to register binder service.
2. Allow |wpa_supplicant| to invoke binder calls on |wificond|.
3. Allow |wificond| to invoke binder calls on |wpa_supplicant|

Denials:
06-30 08:14:42.788   400   400 E SELinux : avc:  denied  { add } for
service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=1

BUG:29877467
TEST: Compiled and ensured that the selinux denials are no longer
present in logs.
TEST: Ran integration test to find the service.

Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662
---
 service.te       | 1 +
 service_contexts | 1 +
 wificond.te      | 1 +
 wpa.te           | 3 +++
 4 files changed, 6 insertions(+)

diff --git a/service.te b/service.te
index c891ca8e0..d72d6552a 100644
--- a/service.te
+++ b/service.te
@@ -120,3 +120,4 @@ type wifiscanner_service, system_api_service, system_server_service, service_man
 type wifi_service, app_api_service, system_server_service, service_manager_type;
 type wificond_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
+type wpa_supplicant_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 218cb8f9f..2b7a1b113 100644
--- a/service_contexts
+++ b/service_contexts
@@ -145,4 +145,5 @@ wifiscanner                               u:object_r:wifiscanner_service:s0
 wifi                                      u:object_r:wifi_service:s0
 wificond                                  u:object_r:wificond_service:s0
 window                                    u:object_r:window_service:s0
+wpa                                       u:object_r:wpa_supplicant_service:s0
 *                                         u:object_r:default_android_service:s0
diff --git a/wificond.te b/wificond.te
index edc82e0d5..0da5f380b 100644
--- a/wificond.te
+++ b/wificond.te
@@ -6,5 +6,6 @@ init_daemon_domain(wificond)
 
 binder_use(wificond)
 binder_call(wificond, system_server)
+binder_call(wificond, wpa)
 
 allow wificond wificond_service:service_manager { add find };
diff --git a/wpa.te b/wpa.te
index dddc801e0..dfb73dc2e 100644
--- a/wpa.te
+++ b/wpa.te
@@ -23,7 +23,10 @@ allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
 
+# Binder interface exposed by WPA.
 binder_use(wpa)
+binder_call(wpa, wificond)
+allow wpa wpa_supplicant_service:service_manager { add find };
 
 # Create a socket for receiving info from wpa
 type_transition wpa wifi_data_file:dir wpa_socket "sockets";
-- 
GitLab