From ca7b04ba525a61cb8663e5e6faf52bfcdb80dde8 Mon Sep 17 00:00:00 2001
From: Christopher Wiley <wiley@google.com>
Date: Mon, 22 Aug 2016 17:47:13 -0700
Subject: [PATCH] Allow wificond to set interfaces up and down

This is apparently a privileged ioctl.  Being able to do this allows us
to no longer kill hostapd with SIGTERM, since we can cleanup after hard
stops.

Bug: 31023120
Test: wificond unit and integration tests pass

Change-Id: Icdf2469d403f420c742871f54b9fb17432805991
---
 wificond.te | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/wificond.te b/wificond.te
index 7a80ac2ac..ae12e07e0 100644
--- a/wificond.te
+++ b/wificond.te
@@ -17,7 +17,10 @@ set_prop(wificond, ctl_default_prop)
 
 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
 allow wificond self:capability { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
 allow wificond self:netlink_socket create_socket_perms_no_ioctl;
 
 r_dir_file(wificond, proc_net)
@@ -31,12 +34,6 @@ allow wificond wifi_data_file:file create_file_perms;
 #       files, which are owned by system or wifi (not wificond's root).
 allow wificond self:capability { chown fowner };
 
-# wificond tries to gracefully kill hostapd by sending it a signal.
-# wificond checks for hostapd liveliness with signull.
-allow wificond hostapd:process { signal signull };
-# wificond needs kill to drop mad signals on hostapd.
-allow wificond self:capability kill;
-
 # wificond cleans up sockets created by wpa_supplicant and framework
 allow wificond wpa_socket:dir rw_dir_perms;
 allow wificond system_wpa_socket:sock_file unlink;
-- 
GitLab