1# wpa - wpa supplicant or equivalent
2type wpa, domain;
3type wpa_exec, exec_type, file_type;
4
5init_daemon_domain(wpa)
6
7net_domain(wpa)
8
9allow wpa kernel:system module_request;
10allow wpa self:capability { setuid net_admin setgid net_raw };
11allow wpa cgroup:dir create_dir_perms;
12allow wpa self:netlink_route_socket nlmsg_write;
13allow wpa self:netlink_socket create_socket_perms;
14allow wpa self:packet_socket create_socket_perms;
15allow wpa wifi_data_file:dir create_dir_perms;
16allow wpa wifi_data_file:file create_file_perms;
17unix_socket_send(wpa, system_wpa, system_server)
18
19binder_use(wpa)
20
21# Create a socket for receiving info from wpa
22type_transition wpa wifi_data_file:dir wpa_socket "sockets";
23allow wpa wpa_socket:dir create_dir_perms;
24allow wpa wpa_socket:sock_file create_file_perms;
25
26use_keystore(wpa)
27
28# WPA (wifi) has a restricted set of permissions from the default.
29allow wpa keystore:keystore_key {
30	get
31	sign
32	verify
33};
34
35# Allow wpa_cli to work. wpa_cli creates a socket in
36# /data/misc/wifi/sockets which wpa supplicant communicates with.
37userdebug_or_eng(`
38  unix_socket_send(wpa, wpa, su)
39')
40
41###
42### neverallow rules
43###
44
45# wpa_supplicant should not trust any data from sdcards
46neverallow wpa sdcard_type:dir ~getattr;
47neverallow wpa sdcard_type:file *;
48