From f63759714c4145f96a8e3dee191163b39b6f8897 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 8 Nov 2017 12:49:32 -0800
Subject: [PATCH] wifi_supplicant: refactor permissions

1. remove some duplicate permissions.
2. Grant permissions to su for dgram sockets in a way that is
   consistent to how we grant permissions to stream_sockets.

Bug: 34980020
Test: build
Change-Id: I50e01d51444a70ead3ef40b52eda8eb29732b46c
---
 public/domain.te              | 5 ++---
 public/hal_wifi_supplicant.te | 6 ------
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 914ef9776..51f4081f6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -33,10 +33,9 @@ allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
 allow domain init:fd use;
 
 userdebug_or_eng(`
-  # Same as adbd rules above, except allow su to do the same thing
-  allow domain su:unix_stream_socket connectto;
   allow domain su:fd use;
-  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+  allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+  allow domain su:unix_dgram_socket sendto;
 
   allow { domain -init } su:binder { call transfer };
 
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 0f2540e40..82c9e7d7a 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -26,12 +26,6 @@ allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
 allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
 allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
 
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
-userdebug_or_eng(`
-  unix_socket_send(hal_wifi_supplicant, wpa, su)
-')
-
 ###
 ### neverallow rules
 ###
-- 
GitLab