From 6caeac7b47efffbd2ded12475761b607fdb262ca Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Wed, 28 Sep 2016 15:12:23 -0700
Subject: [PATCH] wpa: Add permissions for hwbinder

Modify permissions for wpa_supplicant to use hwbinder (for HIDL),
instead of binder.

Denials:
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0

BUG: 31365276
Test: Compiled and ensured that the selinux denials are no longer
present in logs.

Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2
---
 public/wificond.te | 2 +-
 public/wpa.te      | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/public/wificond.te b/public/wificond.te
index 82c10c131..0dd709f2c 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,10 +4,10 @@ type wificond_exec, exec_type, file_type;
 
 binder_use(wificond)
 binder_call(wificond, system_server)
-binder_call(wificond, wpa)
 
 hwbinder_use(wificond)
 binder_call(wificond, wifi_hal_legacy)
+binder_call(wificond, wpa)
 
 allow wificond wificond_service:service_manager { add find };
 
diff --git a/public/wpa.te b/public/wpa.te
index 3cb042bda..863b6b9fb 100644
--- a/public/wpa.te
+++ b/public/wpa.te
@@ -21,10 +21,9 @@ allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
 
-# Binder interface exposed by WPA.
-binder_use(wpa)
+# HIDL interface exposed by WPA.
+hwbinder_use(wpa)
 binder_call(wpa, wificond)
-allow wpa wpa_supplicant_service:service_manager { add find };
 
 # Create a socket for receiving info from wpa
 allow wpa wpa_socket:dir create_dir_perms;
-- 
GitLab