diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f918b5b4dc2e4275dd046287438ae64bd84555f7..d4de3b956c921b39359137ef7d7f1dc866ee54fd 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,7 @@
hal_secure_element_hwservice
hal_tetheroffload_hwservice
hal_usb_gadget_hwservice
+ hal_wifi_hostapd_hwservice
hal_wifi_offload_hwservice
incident_helper
incident_helper_exec
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 90621a0d9895ed999ca84905f63524d9e4b34da4..998bf2fea8f6d05994af19b334833a986f920c68 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -55,6 +55,7 @@ android.hardware.vibrator::IVibrator u:object_r:hal_v
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
diff --git a/private/system_server.te b/private/system_server.te
index 045acc6d131eba861c7dc61057396be2e2f6a4c3..8e07d3f224cefc2d0bf7df4e12e3893c1e8293b3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -213,6 +213,7 @@ hal_client_domain(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_offload)
hal_client_domain(system_server, hal_wifi_supplicant)
diff --git a/public/attributes b/public/attributes
index fed8def39cfc07a7b53e84669786b7fda80551f5..75679c73d7f05726acae3ccf31655f7181edbd3d 100644
--- a/public/attributes
+++ b/public/attributes
@@ -276,6 +276,7 @@ hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
hal_attribute(wifi_offload);
hal_attribute(wifi_supplicant);
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index ce4b48cd015a55982b6dfd586b6d4937425b8797..017fcce7b689a48a08b70c57d1c965d5e094edbf 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -4,6 +4,7 @@ neverallow {
halserverdomain
-hal_bluetooth_server
-hal_wifi_server
+ -hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
} self:global_capability_class_set { net_admin net_raw };
@@ -14,6 +15,7 @@ neverallow {
halserverdomain
-hal_tetheroffload_server
-hal_wifi_server
+ -hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
} domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
new file mode 100644
index 0000000000000000000000000000000000000000..03a554674d4c9277a54ba5f554c3969e70dcaa85
--- /dev/null
+++ b/public/hal_wifi_hostapd.te
@@ -0,0 +1,28 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
+allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/public/hwservice.te b/public/hwservice.te
index 012592452997d4f05b35548467df3c4885c7c39d..2b745c0b3fba6c10a5dada2e0427e0e0834afc94 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -45,6 +45,7 @@ type hal_vibrator_hwservice, hwservice_manager_type;
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type;
type hal_wifi_offload_hwservice, hwservice_manager_type;
type hal_wifi_supplicant_hwservice, hwservice_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/su.te b/public/su.te
index c63ae0ad40d652927f3b066f2f64a98eb64cba8a..0312945484620db72f6aa59873eb934ae6a5d121 100644
--- a/public/su.te
+++ b/public/su.te
@@ -94,6 +94,7 @@ userdebug_or_eng(`
typeattribute su hal_vr_client;
typeattribute su hal_weaver_client;
typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_hostapd_client;
typeattribute su hal_wifi_offload_client;
typeattribute su hal_wifi_supplicant_client;
')
diff --git a/vendor/file.te b/vendor/file.te
index 6bebfb5022bd63459d188716aadf461fb3148809..4de29c3cde8303ee371dcf5e33b1ec30d0a80a0c 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,4 @@
# Socket types
type hostapd_socket, file_type, data_file_type, core_data_file_type;
+# Hostapd conf files
+type hostapd_data_file, file_type, data_file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 90de40b5b1d162966842b706e6e3c1fcdf9e0750..c2bd73c76769342f6c7d63ee3288b828d2ce1491 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -44,8 +44,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
@@ -58,4 +59,5 @@
#############################
# Data files
#
+/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..5a3bbb6eed013b4f8fb5c5b2e897bac055eaa294
--- /dev/null
+++ b/vendor/hal_wifi_hostapd_default.te
@@ -0,0 +1,11 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;