From 1ebfdd6a14fb21705664c8e144f151b39c3d73f8 Mon Sep 17 00:00:00 2001
From: Christopher Wiley <wiley@google.com>
Date: Wed, 29 Jun 2016 11:28:20 -0700
Subject: [PATCH] Separate permissions to set WiFi related properties

wificond would like to be able to set WiFi related properties
without access to the rest of the system properties.  Today,
this only involves marking the driver as loaded or unloaded.

avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Bug: 29579539
Test: No avc denials related to system properties across
      various WiFi events.

Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f
---
 property.te       | 1 +
 property_contexts | 4 +++-
 system_server.te  | 1 +
 wificond.te       | 2 ++
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/property.te b/property.te
index af7013f4c..2802c0d33 100644
--- a/property.te
+++ b/property.te
@@ -13,6 +13,7 @@ type system_radio_prop, property_type, core_property_type;
 type system_prop, property_type, core_property_type;
 type vold_prop, property_type, core_property_type;
 type wifi_log_prop, property_type, log_property_type;
+type wifi_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 2326fa807..5fbb0cd09 100644
--- a/property_contexts
+++ b/property_contexts
@@ -25,7 +25,6 @@ sys.cppreopt            u:object_r:cppreopt_prop:s0
 sys.powerctl            u:object_r:powerctl_prop:s0
 sys.usb.ffs.            u:object_r:ffs_prop:s0
 service.                u:object_r:system_prop:s0
-wlan.                   u:object_r:system_prop:s0
 dhcp.                   u:object_r:dhcp_prop:s0
 dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
 bluetooth.              u:object_r:bluetooth_prop:s0
@@ -95,3 +94,6 @@ config.                 u:object_r:config_prop:s0
 ro.config.              u:object_r:config_prop:s0
 dalvik.                 u:object_r:dalvik_prop:s0
 ro.dalvik.              u:object_r:dalvik_prop:s0
+
+# Shared between system server and wificond
+wlan.                   u:object_r:wifi_prop:s0
diff --git a/system_server.te b/system_server.te
index d74c3cf4f..a50abe661 100644
--- a/system_server.te
+++ b/system_server.te
@@ -339,6 +339,7 @@ set_prop(system_server, debug_prop)
 set_prop(system_server, powerctl_prop)
 set_prop(system_server, fingerprint_prop)
 set_prop(system_server, device_logging_prop)
+set_prop(system_server, wifi_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 
 # ctl interface
diff --git a/wificond.te b/wificond.te
index 2f100dbae..544c99213 100644
--- a/wificond.te
+++ b/wificond.te
@@ -11,3 +11,5 @@ binder_call(wificond, wpa)
 allow wificond wificond_service:service_manager { add find };
 
 allow wificond sysfs_wlan_fwpath:file w_file_perms;
+
+set_prop(wificond, wifi_prop)
-- 
GitLab