From a18b41e7522d0cf347ae486a6881e1228adfbfb0 Mon Sep 17 00:00:00 2001
From: Mitchell Wills <mwills@google.com>
Date: Fri, 16 Sep 2016 12:17:10 -0700
Subject: [PATCH] Add selinux policy for legacy Wifi HAL

avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=binder permissive=1

avc: denied { bind } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { call } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { getattr } for path="/proc/4355/net/psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { ioctl } for path="socket:[28193]" dev="sockfs" ino=28193 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { ioctl } for path="socket:[34821]" dev="sockfs" ino=34821 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { net_raw } for capability=13 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { open } for path="/proc/2754/net/psched" dev="proc" ino=4026535377 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/class/net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { setopt } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { transfer } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { write } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=0
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=0
avc: denied { read } for name="net" dev="sysfs" ino=9862 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=0

Bug: 31352200
Test: can boot angler & bullhead and start/stop HAL repeatedly
Change-Id: Ide93730d362fb93602742fc10b22fff6e7d56f6b
---
 file_contexts      |  2 ++
 wifi_hal_legacy.te | 22 ++++++++++++++++++++++
 wificond.te        |  3 +++
 3 files changed, 27 insertions(+)
 create mode 100644 wifi_hal_legacy.te

diff --git a/file_contexts b/file_contexts
index 36fde98c7..eeda6c73e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -215,6 +215,8 @@
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
+/system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
+
 
 #############################
 # Vendor files
diff --git a/wifi_hal_legacy.te b/wifi_hal_legacy.te
new file mode 100644
index 000000000..a7fce5729
--- /dev/null
+++ b/wifi_hal_legacy.te
@@ -0,0 +1,22 @@
+# wifi legacy hal
+type wifi_hal_legacy, domain;
+type wifi_hal_legacy_exec, exec_type, file_type;
+
+# may be started by init
+init_daemon_domain(wifi_hal_legacy)
+
+## hwbinder access
+hwbinder_use(wifi_hal_legacy)
+
+## call into wificond process (callbacks)
+binder_call(wifi_hal_legacy, wificond)
+
+r_dir_file(wifi_hal_legacy, proc_net)
+r_dir_file(wifi_hal_legacy, sysfs_type)
+
+allow wifi_hal_legacy self:udp_socket create_socket_perms;
+allow wifi_hal_legacy self:capability { net_admin net_raw };
+# allow wifi_hal_legacy to speak to nl80211 in the kernel
+allow wifi_hal_legacy self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wifi_hal_legacy self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/wificond.te b/wificond.te
index d7979ec9a..673394a2c 100644
--- a/wificond.te
+++ b/wificond.te
@@ -8,6 +8,9 @@ binder_use(wificond)
 binder_call(wificond, system_server)
 binder_call(wificond, wpa)
 
+hwbinder_use(wificond)
+binder_call(wificond, wifi_hal_legacy)
+
 allow wificond wificond_service:service_manager { add find };
 
 # wificond writes firmware paths to this file.
-- 
GitLab