| Lior David | 4420cfc | 2017-05-23 10:40:44 +0300 | [diff] [blame] | 1 | # Copyright (c) 2015,2017, The Linux Foundation. All rights reserved. |
| Dedy Lansky | eb56c9a | 2015-08-11 15:07:48 +0300 | [diff] [blame] | 2 | # |
| 3 | # Redistribution and use in source and binary forms, with or without |
| 4 | # modification, are permitted provided that the following conditions are |
| 5 | # met: |
| 6 | # * Redistributions of source code must retain the above copyright |
| 7 | # notice, this list of conditions and the following disclaimer. |
| 8 | # * Redistributions in binary form must reproduce the above |
| 9 | # copyright notice, this list of conditions and the following |
| 10 | # disclaimer in the documentation and/or other materials provided |
| 11 | # with the distribution. |
| 12 | # * Neither the name of The Linux Foundation nor the names of its |
| 13 | # contributors may be used to endorse or promote products derived |
| 14 | # from this software without specific prior written permission. |
| 15 | # |
| 16 | # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED |
| 17 | # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| 18 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT |
| 19 | # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS |
| 20 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 21 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 22 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
| 23 | # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
| 24 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE |
| 25 | # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
| 26 | # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | |
| Biswajit Paul | 6786a92 | 2017-03-16 11:53:53 -0700 | [diff] [blame] | 28 | type fstman, domain; |
| Ravi Kumar Siddojigari | c7def12 | 2017-06-13 00:49:19 +0530 | [diff] [blame] | 29 | type fstman_exec, exec_type, vendor_file_type, file_type; |
| Dedy Lansky | eb56c9a | 2015-08-11 15:07:48 +0300 | [diff] [blame] | 30 | |
| 31 | init_daemon_domain(fstman) |
| 32 | net_domain(fstman) |
| 33 | |
| Lior David | 4420cfc | 2017-05-23 10:40:44 +0300 | [diff] [blame] | 34 | # fstman requires special network privileges. |
| 35 | # access traffic control (TC) for marking packets to identify from |
| 36 | # which slave interface they arrive, drop multicast packets and |
| 37 | # duplicate packets. This requires the net_raw capability. |
| 38 | # network admin operations mainly on the bonding driver: |
| 39 | # interface up/down, add/remove slave interfaces, set queue parameters |
| 40 | # This requires the net_admin capability. |
| Dedy Lansky | eb56c9a | 2015-08-11 15:07:48 +0300 | [diff] [blame] | 41 | allow fstman self:capability { net_admin net_raw }; |
| Lior David | 4420cfc | 2017-05-23 10:40:44 +0300 | [diff] [blame] | 42 | |
| 43 | # netlink socket is used to access traffic control (TC) |
| Dedy Lansky | eb56c9a | 2015-08-11 15:07:48 +0300 | [diff] [blame] | 44 | allow fstman self:netlink_route_socket nlmsg_write; |
| Lior David | 4420cfc | 2017-05-23 10:40:44 +0300 | [diff] [blame] | 45 | |
| 46 | # allow privileged socket operations: interface up/down, bond interface management |
| 47 | allowxperm fstman self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS SIOCSIFTXQLEN SIOCBONDENSLAVE SIOCBONDRELEASE SIOCETHTOOL}; |
| 48 | |
| 49 | # need access to bond0 sysfs in order to manage attached interfaces |
| 50 | allow fstman sysfs_bond0:file rw_file_perms; |
| 51 | |
| 52 | # need access to wigig sysfs in order to control fst_link_loss |
| 53 | allow fstman sysfs_wigig:file rw_file_perms; |
| 54 | |
| 55 | # create/read fstman configuration file (/data/vendor/wifi/fstman.ini) |
| 56 | r_dir_file(fstman, wifi_vendor_data_file) |
| 57 | allow fstman wifi_vendor_data_file:dir rw_dir_perms; |
| 58 | allow fstman wifi_vendor_data_file:file create_file_perms; |
| 59 | |
| 60 | # fstman needs to communicate with wpa_supplicant and hostapd using socket |
| 61 | # for managing FST state |
| Michael Bestas | 0feb07d | 2018-10-05 00:37:23 +0300 | [diff] [blame] | 62 | allow fstman { hal_wifi_supplicant hostapd }:unix_dgram_socket sendto; |
| Lior David | 4420cfc | 2017-05-23 10:40:44 +0300 | [diff] [blame] | 63 | # supplicant interface sockets |
| 64 | allow fstman wifi_vendor_wpa_socket:dir rw_dir_perms; |
| 65 | allow fstman wifi_vendor_wpa_socket:sock_file create_file_perms; |
| 66 | # supplicant global socket |
| Dedy Lansky | eb56c9a | 2015-08-11 15:07:48 +0300 | [diff] [blame] | 67 | allow fstman wpa_socket:dir rw_dir_perms; |
| 68 | allow fstman wpa_socket:sock_file create_file_perms; |
| Lior David | 41292bb | 2017-07-31 17:48:55 +0300 | [diff] [blame] | 69 | # hostapd global socket |
| Bruno Martins | 6d01ab3 | 2018-08-20 14:21:08 +0100 | [diff] [blame] | 70 | allow fstman hostapd_data_file:dir rw_dir_perms; |
| 71 | allow fstman hostapd_data_file:sock_file create_file_perms; |