From b55ebfb076938d9292aa5aded1fe51c59c103947 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 21 Feb 2014 11:28:20 -0500
Subject: [PATCH] DO NOT MERGE: Ensure that /data/misc/wifi/sockets is always
 labeled wpa_socket.

It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets
and re-create it at times, so make sure that it remains labeled correctly
when re-created in this manner via a name-based type transition rule.
Do the same for hostapd as it also has permissions for creating/removing
this directory.

<5>[83921.800071] type=1400 audit(1392997522.105:26): avc:  denied  { rmdir } for  pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir

We no longer need the type_transition for sock_file as it will inherit
the type from the parent directory which is set via restorecon_recursive
/data/misc/wifi/sockets or via type_transition, so drop it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 7ade68d797a83b8f4e5162f523f4caa0f246ff03)

Change-Id: Ie3e2f4c14ce29a63634aa4049ab47f2624e93310
---
 hostapd.te        | 1 +
 wpa_supplicant.te | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hostapd.te b/hostapd.te
index a6ca0e754..caa7b6ddf 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -11,6 +11,7 @@ allow hostapd self:udp_socket { create ioctl };
 
 allow hostapd wifi_data_file:file rw_file_perms;
 allow hostapd wifi_data_file:dir create_dir_perms;
+type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
 allow hostapd wpa_socket:dir create_dir_perms;
 allow hostapd wpa_socket:sock_file create_file_perms;
 allow hostapd netd:fd use;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 2f51ff322..ae4b96ccf 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -19,8 +19,8 @@ binder_use(wpa)
 binder_call(wpa, keystore)
 
 # Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:sock_file wpa_socket;
-allow wpa wpa_socket:dir { rw_dir_perms setattr };
+type_transition wpa wifi_data_file:dir wpa_socket "sockets";
+allow wpa wpa_socket:dir create_dir_perms;
 allow wpa wpa_socket:sock_file create_file_perms;
 
 # Allow wpa_cli to work. wpa_cli creates a socket in
-- 
GitLab