Loading target/board/generic/sepolicy/execns.te +3 −10 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ init_daemon_domain(execns) allow execns varrun_file:dir search; allow execns varrun_file:file r_file_perms; allow execns self:capability sys_admin; allow execns self:capability { sys_admin setuid setgid }; allow execns nsfs:file { open read }; #Allow execns itself to be run by init in its own domain Loading @@ -18,15 +18,8 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient); # Allow dhcpserver to be run by execns in its own domain domain_auto_trans(execns, dhcpserver_exec, dhcpserver); # Rules to allow execution of hostapd and allow it to run allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans }; allow execns self:capability { net_admin net_raw }; allow execns self:netlink_generic_socket { bind create getattr read setopt write }; allow execns self:netlink_route_socket { bind create read write nlmsg_write }; allow execns execns:udp_socket { create ioctl }; allow execns self:packet_socket { create setopt }; allow execns sysfs_net:dir { search }; allowxperm execns self:udp_socket ioctl priv_sock_ioctls; # Allow hostapd_nohidl to be run by execns in its own domain domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl); # Allow execns to read createns proc file to get the namespace file allow execns createns:file read; Loading target/board/generic/sepolicy/file_contexts +1 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,7 @@ /vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 /vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0 /vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 Loading target/board/generic/sepolicy/hostapd_nohidl.te 0 → 100644 +16 −0 Original line number Diff line number Diff line type hostapd_nohidl, domain; type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hostapd_nohidl) net_domain(hostapd_nohidl) allow hostapd_nohidl execns:fd use; allow hostapd_nohidl self:capability { net_admin net_raw }; allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write }; allow hostapd_nohidl self:netlink_route_socket nlmsg_write; allow hostapd_nohidl self:packet_socket { create setopt }; allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls; # hostapd will attempt to search sysfs but it's not needed and will spam the log dontaudit hostapd_nohidl sysfs_net:dir search; Loading
target/board/generic/sepolicy/execns.te +3 −10 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ init_daemon_domain(execns) allow execns varrun_file:dir search; allow execns varrun_file:file r_file_perms; allow execns self:capability sys_admin; allow execns self:capability { sys_admin setuid setgid }; allow execns nsfs:file { open read }; #Allow execns itself to be run by init in its own domain Loading @@ -18,15 +18,8 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient); # Allow dhcpserver to be run by execns in its own domain domain_auto_trans(execns, dhcpserver_exec, dhcpserver); # Rules to allow execution of hostapd and allow it to run allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans }; allow execns self:capability { net_admin net_raw }; allow execns self:netlink_generic_socket { bind create getattr read setopt write }; allow execns self:netlink_route_socket { bind create read write nlmsg_write }; allow execns execns:udp_socket { create ioctl }; allow execns self:packet_socket { create setopt }; allow execns sysfs_net:dir { search }; allowxperm execns self:udp_socket ioctl priv_sock_ioctls; # Allow hostapd_nohidl to be run by execns in its own domain domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl); # Allow execns to read createns proc file to get the namespace file allow execns createns:file read; Loading
target/board/generic/sepolicy/file_contexts +1 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,7 @@ /vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 /vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0 /vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 Loading
target/board/generic/sepolicy/hostapd_nohidl.te 0 → 100644 +16 −0 Original line number Diff line number Diff line type hostapd_nohidl, domain; type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hostapd_nohidl) net_domain(hostapd_nohidl) allow hostapd_nohidl execns:fd use; allow hostapd_nohidl self:capability { net_admin net_raw }; allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write }; allow hostapd_nohidl self:netlink_route_socket nlmsg_write; allow hostapd_nohidl self:packet_socket { create setopt }; allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls; # hostapd will attempt to search sysfs but it's not needed and will spam the log dontaudit hostapd_nohidl sysfs_net:dir search;
