diff options
| author | Roshan Pius <rpius@google.com> | 2017-03-04 04:34:04 -0800 |
|---|---|---|
| committer | Roshan Pius <rpius@google.com> | 2017-03-06 17:19:28 -0800 |
| commit | cfbd6b4d1df3d992f0da34aefc2a50a4a610e669 (patch) | |
| tree | 564571c9937809fab7597fb1a3c1a64d3c08fc48 | |
| parent | 675fb05065f490affd82830acd8f596e7807e12e (diff) | |
| download | bullhead-o-preview.tar.gz | |
hal_wifi: Allow wifi hal to access LOWI serverandroid-o-preview-1o-preview
HAL wifi creates a LOWI client for accessing the LOWI server to share
wifi gscan results for location purposes.
Move all "location" access permissions from system_server to hal_wifi
since these were most likely added for the old wifi hal which was loaded
in system_server.
Denials:
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:97): avc: denied { search } for name="location" dev="sda35"
ino=3850313 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:98): avc: denied { write } for name="location-mq-s"
dev="sda35" ino=3850337 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:location_data_file:s0 tclass=sock_file permissive=1
03-04 04:20:09.956 4796 4796 I android.hardwar: type=1400
audit(0.0:99): avc: denied { connectto } for
path="/data/misc/location/mq/location-mq-s"
scontext=u:r:hal_wifi_default:s0 tcontext=u:r:location:s0
tclass=unix_stream_socket permissive=1
Bug: 35959128
Test: Device boots up and able to connect to wifi network.
Denials no longer seen. Previously some wifi HAL calls would take
a long time to complete because it tries to create a LOWI client for
every request and fail.
Change-Id: Ib465d0c97efbb1f1adb7ec0f2d499f46b6111419
| -rw-r--r-- | sepolicy/hal_wifi.te | 5 | ||||
| -rw-r--r-- | sepolicy/location.te | 2 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 6 |
3 files changed, 6 insertions, 7 deletions
diff --git a/sepolicy/hal_wifi.te b/sepolicy/hal_wifi.te new file mode 100644 index 0000000..339379c --- /dev/null +++ b/sepolicy/hal_wifi.te @@ -0,0 +1,5 @@ +# Allow wifi hal access to LOWI +allow hal_wifi location:unix_stream_socket connectto; +allow hal_wifi location_data_file:{ file fifo_file } create_file_perms; +allow hal_wifi location_data_file:dir rw_dir_perms; +allow hal_wifi location_data_file:sock_file create_file_perms; diff --git a/sepolicy/location.te b/sepolicy/location.te index 04880d1..210a03c 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -9,7 +9,7 @@ binder_call(location, per_mgr) binder_call(location, system_server) qmux_socket(location) -allow location system_server:unix_stream_socket { read write }; +allow location hal_wifi:unix_stream_socket { read write }; allow location location_data_file:dir rw_dir_perms; allow location location_data_file:file create_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index d1346ad..46366ee 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -19,12 +19,6 @@ allow system_server uhid_device:chr_file rw_file_perms; allow system_server persist_file:dir search; allow system_server persist_sensortool_file:file r_file_perms; -# For location -allow system_server location:unix_stream_socket connectto; -allow system_server location_data_file:{ file fifo_file } create_file_perms; -allow system_server location_data_file:dir rw_dir_perms; -allow system_server location_data_file:sock_file create_file_perms; - # talk to perfd allow system_server perfd_data_file:dir search; allow system_server perfd_data_file:sock_file write; |