1# wpa - wpa supplicant or equivalent 2type wpa, domain; 3type wpa_exec, exec_type, file_type; 4 5init_daemon_domain(wpa) 6 7net_domain(wpa) 8 9allow wpa kernel:system module_request; 10allow wpa self:capability { setuid net_admin setgid net_raw }; 11allow wpa cgroup:dir create_dir_perms; 12allow wpa self:netlink_route_socket nlmsg_write; 13allow wpa self:netlink_socket create_socket_perms; 14allow wpa self:packet_socket create_socket_perms; 15allow wpa wifi_data_file:dir create_dir_perms; 16allow wpa wifi_data_file:file create_file_perms; 17unix_socket_send(wpa, system_wpa, system_server) 18 19binder_use(wpa) 20 21# Create a socket for receiving info from wpa 22type_transition wpa wifi_data_file:dir wpa_socket "sockets"; 23allow wpa wpa_socket:dir create_dir_perms; 24allow wpa wpa_socket:sock_file create_file_perms; 25 26use_keystore(wpa) 27 28# WPA (wifi) has a restricted set of permissions from the default. 29allow wpa keystore:keystore_key { 30 get 31 sign 32 verify 33}; 34 35# Allow wpa_cli to work. wpa_cli creates a socket in 36# /data/misc/wifi/sockets which wpa supplicant communicates with. 37userdebug_or_eng(` 38 unix_socket_send(wpa, wpa, su) 39') 40 41### 42### neverallow rules 43### 44 45# wpa_supplicant should not trust any data from sdcards 46neverallow wpa sdcard_type:dir ~getattr; 47neverallow wpa sdcard_type:file *; 48