From d7b34a48ff17a7c2f7f938718525fa51c70c5686 Mon Sep 17 00:00:00 2001 From: Roshan Pius <rpius@google.com> Date: Fri, 22 Dec 2017 15:03:15 -0800 Subject: [PATCH] sepolicy(hostapd): Add a HIDL interface for hostapd * Note on cherry-pick: Some of the dependent changes are not in AOSP. In order to keep hostapd running correctly in AOSP, I've modified this change to only include policy additions. Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947 Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947 (cherry picked from commit 5bca3e860d34b3aff070a38bfd39caa74cade443) --- private/compat/26.0/26.0.ignore.cil | 1 + private/hwservice_contexts | 1 + private/system_server.te | 1 + public/attributes | 1 + public/hal_neverallows.te | 2 ++ public/hal_wifi_hostapd.te | 28 ++++++++++++++++++++++++++++ public/hwservice.te | 1 + public/su.te | 1 + vendor/file.te | 2 ++ vendor/file_contexts | 4 +++- vendor/hal_wifi_hostapd_default.te | 11 +++++++++++ 11 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 public/hal_wifi_hostapd.te create mode 100644 vendor/hal_wifi_hostapd_default.te diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil index f918b5b4d..d4de3b956 100644 --- a/private/compat/26.0/26.0.ignore.cil +++ b/private/compat/26.0/26.0.ignore.cil @@ -53,6 +53,7 @@ hal_secure_element_hwservice hal_tetheroffload_hwservice hal_usb_gadget_hwservice + hal_wifi_hostapd_hwservice hal_wifi_offload_hwservice incident_helper incident_helper_exec diff --git a/private/hwservice_contexts b/private/hwservice_contexts index 90621a0d9..998bf2fea 100644 --- a/private/hwservice_contexts +++ b/private/hwservice_contexts @@ -55,6 +55,7 @@ android.hardware.vibrator::IVibrator u:object_r:hal_v android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0 android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0 android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0 +android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0 android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0 android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0 android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0 diff --git a/private/system_server.te b/private/system_server.te index 045acc6d1..8e07d3f22 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -213,6 +213,7 @@ hal_client_domain(system_server, hal_vibrator) hal_client_domain(system_server, hal_vr) hal_client_domain(system_server, hal_weaver) hal_client_domain(system_server, hal_wifi) +hal_client_domain(system_server, hal_wifi_hostapd) hal_client_domain(system_server, hal_wifi_offload) hal_client_domain(system_server, hal_wifi_supplicant) diff --git a/public/attributes b/public/attributes index fed8def39..75679c73d 100644 --- a/public/attributes +++ b/public/attributes @@ -276,6 +276,7 @@ hal_attribute(vibrator); hal_attribute(vr); hal_attribute(weaver); hal_attribute(wifi); +hal_attribute(wifi_hostapd); hal_attribute(wifi_offload); hal_attribute(wifi_supplicant); diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te index ce4b48cd0..017fcce7b 100644 --- a/public/hal_neverallows.te +++ b/public/hal_neverallows.te @@ -4,6 +4,7 @@ neverallow { halserverdomain -hal_bluetooth_server -hal_wifi_server + -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server } self:global_capability_class_set { net_admin net_raw }; @@ -14,6 +15,7 @@ neverallow { halserverdomain -hal_tetheroffload_server -hal_wifi_server + -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server } domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te new file mode 100644 index 000000000..03a554674 --- /dev/null +++ b/public/hal_wifi_hostapd.te @@ -0,0 +1,28 @@ +# HwBinder IPC from client to server +binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server) +binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client) + +add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice) +allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find; + +allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw }; + +allow hal_wifi_hostapd_server sysfs_net:dir search; + +# Allow hal_wifi_hostapd to access /proc/net/psched +allow hal_wifi_hostapd_server proc_net:file { getattr open read }; + +# Various socket permissions. +allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls; +allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write; + +### +### neverallow rules +### + +# hal_wifi_hostapd should not trust any data from sdcards +neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr; +neverallow hal_wifi_hostapd_server sdcard_type:file *; diff --git a/public/hwservice.te b/public/hwservice.te index 012592452..2b745c0b3 100644 --- a/public/hwservice.te +++ b/public/hwservice.te @@ -45,6 +45,7 @@ type hal_vibrator_hwservice, hwservice_manager_type; type hal_vr_hwservice, hwservice_manager_type; type hal_weaver_hwservice, hwservice_manager_type; type hal_wifi_hwservice, hwservice_manager_type; +type hal_wifi_hostapd_hwservice, hwservice_manager_type; type hal_wifi_offload_hwservice, hwservice_manager_type; type hal_wifi_supplicant_hwservice, hwservice_manager_type; type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice; diff --git a/public/su.te b/public/su.te index c63ae0ad4..031294548 100644 --- a/public/su.te +++ b/public/su.te @@ -94,6 +94,7 @@ userdebug_or_eng(` typeattribute su hal_vr_client; typeattribute su hal_weaver_client; typeattribute su hal_wifi_client; + typeattribute su hal_wifi_hostapd_client; typeattribute su hal_wifi_offload_client; typeattribute su hal_wifi_supplicant_client; ') diff --git a/vendor/file.te b/vendor/file.te index 6bebfb502..4de29c3cd 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,2 +1,4 @@ # Socket types type hostapd_socket, file_type, data_file_type, core_data_file_type; +# Hostapd conf files +type hostapd_data_file, file_type, data_file_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 90de40b5b..c2bd73c76 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -44,8 +44,9 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0 -/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0 +/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0 /(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0 +/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0 /(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0 ############################# @@ -58,4 +59,5 @@ ############################# # Data files # +/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0 /data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0 diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te new file mode 100644 index 000000000..5a3bbb6ee --- /dev/null +++ b/vendor/hal_wifi_hostapd_default.te @@ -0,0 +1,11 @@ +# hostapd or equivalent +type hal_wifi_hostapd_default, domain; +hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd) +type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_wifi_hostapd_default) + +net_domain(hal_wifi_hostapd_default) + +# Allow hostapd to access it's data folder +allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms; +allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms; -- GitLab