SEPolicy to start hostapd via init

While here, remove a lot of extra permissions that we apparently
had because hostapd was inheriting fds from netd.

Bug: 30041118
Test: netd can request init to start/stop hostapd without denials.

Change-Id: Ia777497443a4226a201030eccb9dfc5a40f015dd
(cherry picked from commit 8a6c5f85)

file.te

@@ -230,6 +230,8 @@ type system_ndebug_socket, file_type;
 type uncrypt_socket, file_type;
 type vold_socket, file_type;
 type wpa_socket, file_type;
+# hostapd control interface.
+type hostapd_socket, file_type;
 type zygote_socket, file_type;
 type sap_uim_socket, file_type;
 # UART (for GPS) control proc file

file_contexts

@@ -283,7 +283,7 @@
 /data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
+/data/misc/wifi/hostapd(/.*)?   u:object_r:hostapd_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0

hostapd.te

 # userspace wifi access points
-type hostapd, domain, domain_deprecated;
+type hostapd, domain;
 type hostapd_exec, exec_type, file_type;
 
+init_daemon_domain(hostapd)
 net_domain(hostapd)
+allow hostapd self:capability { net_admin net_raw };
 
-allow hostapd self:capability { net_admin net_raw setuid setgid };
+# hostapd learns about its network interface via sysfs.
+allow hostapd sysfs:file r_file_perms;
+# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
+allow hostapd sysfs:lnk_file r_file_perms;
+
+# Allow hostapd to access /proc/net/psched
+allow hostapd proc_net:file { getattr open read };
+
+# Various socket permissions.
 allow hostapd self:netlink_socket create_socket_perms;
 allow hostapd self:netlink_generic_socket create_socket_perms;
 allow hostapd self:packet_socket create_socket_perms;
 allow hostapd self:netlink_route_socket nlmsg_write;
 
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
 allow hostapd wifi_data_file:file rw_file_perms;
-allow hostapd wifi_data_file:dir create_dir_perms;
-type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
-type_transition hostapd wifi_data_file:dir wpa_socket "hostapd";
-allow hostapd wpa_socket:dir create_dir_perms;
-allow hostapd wpa_socket:sock_file create_file_perms;
-allow hostapd netd:fd use;
-allow hostapd netd:udp_socket { read write };
-allow hostapd netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow hostapd netd:netlink_kobject_uevent_socket { read write };
-allow hostapd netd:netlink_nflog_socket { read write };
-allow hostapd netd:netlink_route_socket { read write };
-allow hostapd netd:unix_stream_socket { read write };
-allow hostapd netd:unix_dgram_socket { read write };
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd needs to bind to (and possibly create) its control interface socket.
+allow hostapd hostapd_socket:dir rw_dir_perms;
+# hostapd likes to chmod its socket directory.
+allow hostapd hostapd_socket:dir setattr;
+allow hostapd hostapd_socket:sock_file create_file_perms;

netd.te

@@ -50,10 +50,6 @@ allow netd wifi_data_file:dir rw_dir_perms;
 allow netd net_data_file:file create_file_perms;
 allow netd net_data_file:dir rw_dir_perms;
 
-# Allow netd to spawn hostapd in it's own domain
-domain_auto_trans(netd, hostapd_exec, hostapd)
-allow netd hostapd:process signal;
-
 # Allow netd to spawn dnsmasq in it's own domain
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 allow netd dnsmasq:process signal;
@@ -80,6 +76,8 @@ allow netd dns_listener_service:service_manager find;
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
 allow netd netdomain:fd use;
 
+# Allow netd to start and stop hostapd via ctl.start/stop
+set_prop(netd, ctl_default_prop)
 
 ###
 ### Neverallow rules