1# wpa - wpa supplicant or equivalent 2type wpa, domain, domain_deprecated; 3type wpa_exec, exec_type, file_type; 4 5init_daemon_domain(wpa) 6 7net_domain(wpa) 8 9allow wpa kernel:system module_request; 10allow wpa self:capability { setuid net_admin setgid net_raw }; 11allow wpa cgroup:dir create_dir_perms; 12allow wpa self:netlink_route_socket nlmsg_write; 13allow wpa self:netlink_socket create_socket_perms; 14allow wpa self:netlink_generic_socket create_socket_perms; 15allow wpa self:packet_socket create_socket_perms; 16allow wpa wifi_data_file:dir create_dir_perms; 17allow wpa wifi_data_file:file create_file_perms; 18unix_socket_send(wpa, system_wpa, system_server) 19 20binder_use(wpa) 21 22# Create a socket for receiving info from wpa 23type_transition wpa wifi_data_file:dir wpa_socket "sockets"; 24allow wpa wpa_socket:dir create_dir_perms; 25allow wpa wpa_socket:sock_file create_file_perms; 26 27use_keystore(wpa) 28 29# WPA (wifi) has a restricted set of permissions from the default. 30allow wpa keystore:keystore_key { 31 get 32 sign 33 verify 34}; 35 36# Allow wpa_cli to work. wpa_cli creates a socket in 37# /data/misc/wifi/sockets which wpa supplicant communicates with. 38userdebug_or_eng(` 39 unix_socket_send(wpa, wpa, su) 40') 41 42### 43### neverallow rules 44### 45 46# wpa_supplicant should not trust any data from sdcards 47neverallow wpa sdcard_type:dir ~getattr; 48neverallow wpa sdcard_type:file *; 49