From e7cad6cdc2d504e6b1a4439acec9ca255e11c896 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Fri, 9 Mar 2018 15:47:47 -0800
Subject: [PATCH] Hide denial for wpa_supplicant writing to /data/misc/wifi.

It should instead write to /data/vendor/wifi.

Bug: 36645291
Test: Built policy.
Change-Id: Ib7ba3477fbc03ebf07b886c60bcf4a64b954934a
(cherry picked from commit cc9b30a1cddf7842915fe2df941a5d5911e4de82)
---
 vendor/hal_wifi_supplicant_default.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 9b70dd5ed..2e04dcf2c 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -19,3 +19,11 @@ allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms;
 
 # Write to security logs for audit.
 get_prop(hal_wifi_supplicant_default, device_logging_prop)
+
+# Devices upgrading to P may grant this permission in device-specific
+# policy along with the data_between_core_and_vendor_violators
+# attribute needed for an exemption.  However, devices that launch with
+# P should use /data/vendor/wifi, which is already granted in core
+# policy.  This is dontaudited here to avoid conditional
+# device-specific behavior in wpa_supplicant.
+dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
-- 
GitLab