Skip to content
Snippets Groups Projects
Commit b55ebfb0 authored by Stephen Smalley's avatar Stephen Smalley Committed by Nick Kralevich
Browse files

DO NOT MERGE: Ensure that /data/misc/wifi/sockets is always labeled wpa_socket.


It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets
and re-create it at times, so make sure that it remains labeled correctly
when re-created in this manner via a name-based type transition rule.
Do the same for hostapd as it also has permissions for creating/removing
this directory.

<5>[83921.800071] type=1400 audit(1392997522.105:26): avc:  denied  { rmdir } for  pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir

We no longer need the type_transition for sock_file as it will inherit
the type from the parent directory which is set via restorecon_recursive
/data/misc/wifi/sockets or via type_transition, so drop it.

Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 7ade68d7)

Change-Id: Ie3e2f4c14ce29a63634aa4049ab47f2624e93310
parent 5086de28
No related branches found
No related tags found
No related merge requests found
...@@ -11,6 +11,7 @@ allow hostapd self:udp_socket { create ioctl }; ...@@ -11,6 +11,7 @@ allow hostapd self:udp_socket { create ioctl };
allow hostapd wifi_data_file:file rw_file_perms; allow hostapd wifi_data_file:file rw_file_perms;
allow hostapd wifi_data_file:dir create_dir_perms; allow hostapd wifi_data_file:dir create_dir_perms;
type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
allow hostapd wpa_socket:dir create_dir_perms; allow hostapd wpa_socket:dir create_dir_perms;
allow hostapd wpa_socket:sock_file create_file_perms; allow hostapd wpa_socket:sock_file create_file_perms;
allow hostapd netd:fd use; allow hostapd netd:fd use;
......
...@@ -19,8 +19,8 @@ binder_use(wpa) ...@@ -19,8 +19,8 @@ binder_use(wpa)
binder_call(wpa, keystore) binder_call(wpa, keystore)
# Create a socket for receiving info from wpa # Create a socket for receiving info from wpa
type_transition wpa wifi_data_file:sock_file wpa_socket; type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir { rw_dir_perms setattr }; allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms; allow wpa wpa_socket:sock_file create_file_perms;
# Allow wpa_cli to work. wpa_cli creates a socket in # Allow wpa_cli to work. wpa_cli creates a socket in
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment