Allow wificond to set interfaces up and down

This is apparently a privileged ioctl. Being able to do this allows us to no longer kill hostapd with SIGTERM, since we can cleanup after hard stops. Bug: 31023120 Test: wificond unit and integration tests pass Change-Id: Icdf2469d403f420c742871f54b9fb17432805991

Allow wificond to set interfaces up and down
ca7b04ba · Christopher Wiley · fab61e83 · ca7b04ba
Commit ca7b04ba authored 8 years ago by Christopher Wiley
--- a/wificond.te
+++ b/wificond.te
@@ -17,7 +17,10 @@ set_prop(wificond, ctl_default_prop)

 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
 allow wificond self:capability { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
 allow wificond self:netlink_socket create_socket_perms_no_ioctl;

 r_dir_file(wificond, proc_net)
@@ -31,12 +34,6 @@ allow wificond wifi_data_file:file create_file_perms;
 #       files, which are owned by system or wifi (not wificond's root).
 allow wificond self:capability { chown fowner };

-# wificond tries to gracefully kill hostapd by sending it a signal.
-# wificond checks for hostapd liveliness with signull.
-allow wificond hostapd:process { signal signull };
-# wificond needs kill to drop mad signals on hostapd.
-allow wificond self:capability kill;
-
 # wificond cleans up sockets created by wpa_supplicant and framework
 allow wificond wpa_socket:dir rw_dir_perms;
 allow wificond system_wpa_socket:sock_file unlink;