From 5f8d9f85b0b3b799f2ac15352ae3c92e61675dba Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 12 Mar 2014 15:09:17 -0400
Subject: [PATCH] Label /data/misc/wifi/hostapd with wpa_socket type.

hostapd creates sockets under /data/misc/wifi/hostapd.
Ensure that they are labeled correctly both at runtime
(type_transition) and during the init.rc restorecon_recursive /data
(file_contexts).

Addresses denials such as:
 avc:  denied  { create } for  pid=20476 comm="hostapd" name="wlan0" scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { setattr } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { unlink } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file

Change-Id: I80a443faeb6017a9d6cbdb8da9d7416f29a7b85f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 file_contexts | 1 +
 hostapd.te    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/file_contexts b/file_contexts
index 8bc312f2e..fe9a94239 100644
--- a/file_contexts
+++ b/file_contexts
@@ -192,6 +192,7 @@
 /data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
+/data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 
 # Wallpaper file for other users
diff --git a/hostapd.te b/hostapd.te
index 184b26f28..90a031400 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -13,6 +13,7 @@ allow hostapd self:netlink_route_socket nlmsg_write;
 allow hostapd wifi_data_file:file rw_file_perms;
 allow hostapd wifi_data_file:dir create_dir_perms;
 type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
+type_transition hostapd wifi_data_file:dir wpa_socket "hostapd";
 allow hostapd wpa_socket:dir create_dir_perms;
 allow hostapd wpa_socket:sock_file create_file_perms;
 allow hostapd netd:fd use;
-- 
GitLab