From 5ddc8be4f43f73354946caa442a82e1435a7ddda Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Sat, 5 Mar 2022 09:23:40 -0800 Subject: [PATCH] gs-sepolicy(uwb): Allow uwb hal permission to net_admin This was alloed under gs101-sepolicy. There is an ongoing discussion on how to resolve this for the long term in b/190461440. But, without this uwb functionality is broken on new devices. Bug: 206045367 Bug: 222194886 Change-Id: I6729352f2b7bb93b01990a790e62aa69f60342fe --- tracking_denials/hal_uwb_vendor_default.te | 1 - whitechapel_pro/hal_uwb_vendor.te | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te index 2ec596a2..25e0a748 100644 --- a/tracking_denials/hal_uwb_vendor_default.te +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -1,7 +1,6 @@ # b/204718220 dontaudit hal_uwb_vendor_default default_android_service:service_manager { add }; # b/206045367 -dontaudit hal_uwb_vendor_default hal_uwb_vendor_default:capability { net_admin }; dontaudit hal_uwb_vendor_default zygote:binder { call }; dontaudit hal_uwb_vendor_default zygote:binder { transfer }; # b/208721505 diff --git a/whitechapel_pro/hal_uwb_vendor.te b/whitechapel_pro/hal_uwb_vendor.te index 6fda95ab..dc11d6b8 100644 --- a/whitechapel_pro/hal_uwb_vendor.te +++ b/whitechapel_pro/hal_uwb_vendor.te @@ -9,6 +9,8 @@ binder_call(hal_uwb_vendor_server, servicemanager) # allow hal_uwb_vendor to set wpan interfaces up and down allow hal_uwb_vendor self:udp_socket create_socket_perms; allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +# TODO(b/190461440): Find a long term solution for this. +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; # allow hal_uwb_vendor to speak to nl802154 in the kernel allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl;