Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 760871c7 authored by Bjoern Johansson's avatar Bjoern Johansson
Browse files

Fix SELinux settings for WiFi in Treble 

Update SELinux permissions to work with Treble and the much stricter
SELinux rules.

BUG: 74514143
Test: Compile and manually test that WiFi is working
Change-Id: Ic0a6417fb4fed1597fee70367924e5d59f37e725
(cherry picked from commit 37d7bc2adcc4bfd4c0f03dcddf1c7fbd31e87a4f)
(cherry picked from commit 1b0158a4ab6ca4f05b4b186ec3a080c689492b58)
parent 3c4b3423

target/board/generic/sepolicy/dhcpclient.te

+9 −5
Original line number Diff line number Diff line 
# DHCP client

type dhcpclient, domain, domain_deprecated;

type dhcpclient_exec, exec_type, file_type;

type dhcpclient, domain;

type dhcpclient_exec, exec_type, vendor_file_type, file_type;



init_daemon_domain(dhcpclient)

net_domain(dhcpclient)
@@ -9,8 +9,12 @@ allow dhcpclient execns:fd use; 


set_prop(dhcpclient, net_eth0_prop);

allow dhcpclient self:capability { net_admin net_raw };

allow dhcpclient self:packet_socket { create bind ioctl read write };

allow dhcpclient self:udp_socket { ioctl create };

allow dhcpclient self:udp_socket create;

allow dhcpclient self:netlink_route_socket { write nlmsg_write };

allow dhcpclient varrun_file:dir search;

allow dhcpclient self:packet_socket { create bind write read };

allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS

                                              SIOCSIFADDR

                                              SIOCSIFNETMASK

                                              SIOCSIFMTU

                                              SIOCGIFHWADDR };

target/board/generic/sepolicy/dhcpserver.te

+2 −2
Original line number Diff line number Diff line 
# DHCP server

type dhcpserver, domain, domain_deprecated;

type dhcpserver_exec, exec_type, file_type;

type dhcpserver, domain;

type dhcpserver_exec, exec_type, vendor_file_type, file_type;



init_daemon_domain(dhcpserver)

net_domain(dhcpserver)

target/board/generic/sepolicy/execns.te

+3 −7
Original line number Diff line number Diff line 
# Network namespace transitions

type execns, domain, domain_deprecated;

type execns_exec, exec_type, file_type;

type execns, domain;

type execns_exec, exec_type, vendor_file_type, file_type;



init_daemon_domain(execns)



allow execns varrun_file:dir search;

allow execns self:capability sys_admin;

allow execns proc:file { open read };



#Allow execns itself to be run by init in its own domain

domain_auto_trans(init, execns_exec, execns);
@@ -19,8 +20,3 @@ domain_auto_trans(execns, dhcpserver_exec, dhcpserver); 
# Allow hostapd to be run by execns in its own domain

domain_auto_trans(execns, hostapd_exec, hostapd);

allow hostapd execns:fd use;
 


# Allow dnsmasq to be run by execns in its own domain

domain_auto_trans(execns, dnsmasq_exec, dnsmasq);

allow dnsmasq execns:fd use;

target/board/generic/sepolicy/file_contexts

+5 −4
Original line number Diff line number Diff line
@@ -17,11 +17,12 @@ 
/dev/ttyS2                   u:object_r:console_device:s0

/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0

/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0

/vendor/bin/init\.wifi\.sh   u:object_r:goldfish_setup_exec:s0

/vendor/bin/qemu-props       u:object_r:qemu_props_exec:s0

/system/bin/execns           u:object_r:execns_exec:s0

/system/bin/ipv6proxy        u:object_r:ipv6proxy_exec:s0

/system/bin/dhcpclient       u:object_r:dhcpclient_exec:s0

/system/bin/dhcpserver       u:object_r:dhcpserver_exec:s0

/vendor/bin/execns           u:object_r:execns_exec:s0

/vendor/bin/ipv6proxy        u:object_r:ipv6proxy_exec:s0

/vendor/bin/dhcpclient       u:object_r:dhcpclient_exec:s0

/vendor/bin/dhcpserver       u:object_r:dhcpserver_exec:s0



/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine          u:object_r:hal_drm_widevine_exec:s0

target/board/generic/sepolicy/goldfish_setup.te

+16 −3
Original line number Diff line number Diff line
@@ -16,10 +16,23 @@ allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; 
set_prop(goldfish_setup, ctl_default_prop);



# Set up WiFi

allow goldfish_setup self:netlink_route_socket nlmsg_write;

allow goldfish_setup self:netlink_socket create_socket_perms;

allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };

allow goldfish_setup self:netlink_socket create_socket_perms_no_ioctl;

allow goldfish_setup self:capability { sys_module sys_admin };

allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };

allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };

allow goldfish_setup execns_exec:file rx_file_perms;

allow goldfish_setup proc_net:file w_file_perms;
 
allow goldfish_setup proc_net:file rw_file_perms;

allow goldfish_setup proc:file r_file_perms;

set_prop(goldfish_setup, ctl_default_prop);

allow goldfish_setup system_data_file:dir getattr;

allow goldfish_setup kernel:system module_request;

# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw

allow goldfish_setup system_file:file execute_no_trans;

# Allow goldfish_setup to run init.wifi.sh

allow goldfish_setup goldfish_setup_exec:file execute_no_trans;

# iw

allow goldfish_setup sysfs:file { read open };

# iptables

allow goldfish_setup system_file:file lock;

allow goldfish_setup self:rawip_socket { create getopt setopt };