From 781cfd8255ff476598bcd9a111d2ded3e4a5ecf7 Mon Sep 17 00:00:00 2001
From: Ningyuan Wang <nywang@google.com>
Date: Mon, 18 Jul 2016 16:48:50 -0700
Subject: [PATCH] add netlink socket permission for wificond

 wificond: type=1400 audit(0.0:43): avc: denied { create } for
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

 wificond: type=1400 audit(0.0:44):
 avc: denied { setopt } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:45):
 avc: denied { net_admin } for capability=12 scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=capability permissive=1

 wificond: type=1400 audit(0.0:46):
 avc: denied { bind } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:47):
 avc: denied { write } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:48):
 avc: denied { read } for path="socket:[35892]" dev="sockfs" ino=35892
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

TEST=compile and run

Change-Id: I5e1befabca7388d5b2145f49462e5cff872d9f43
---
 wificond.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wificond.te b/wificond.te
index acdf522ba..6f51f2f99 100644
--- a/wificond.te
+++ b/wificond.te
@@ -16,6 +16,7 @@ set_prop(wificond, wifi_prop)
 
 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;
-allow wificond self:capability net_raw;
+allow wificond self:capability { net_admin net_raw };
+allow wificond self:netlink_socket create_socket_perms_no_ioctl;
 
 r_dir_file(wificond, proc_net)
-- 
GitLab