From d7b34a48ff17a7c2f7f938718525fa51c70c5686 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Fri, 22 Dec 2017 15:03:15 -0800
Subject: [PATCH] sepolicy(hostapd): Add a HIDL interface for hostapd

* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d34b3aff070a38bfd39caa74cade443)
---
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/hwservice_contexts          |  1 +
 private/system_server.te            |  1 +
 public/attributes                   |  1 +
 public/hal_neverallows.te           |  2 ++
 public/hal_wifi_hostapd.te          | 28 ++++++++++++++++++++++++++++
 public/hwservice.te                 |  1 +
 public/su.te                        |  1 +
 vendor/file.te                      |  2 ++
 vendor/file_contexts                |  4 +++-
 vendor/hal_wifi_hostapd_default.te  | 11 +++++++++++
 11 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 public/hal_wifi_hostapd.te
 create mode 100644 vendor/hal_wifi_hostapd_default.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f918b5b4d..d4de3b956 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,7 @@
     hal_secure_element_hwservice
     hal_tetheroffload_hwservice
     hal_usb_gadget_hwservice
+    hal_wifi_hostapd_hwservice
     hal_wifi_offload_hwservice
     incident_helper
     incident_helper_exec
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 90621a0d9..998bf2fea 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -55,6 +55,7 @@ android.hardware.vibrator::IVibrator                            u:object_r:hal_v
 android.hardware.vr::IVr                                        u:object_r:hal_vr_hwservice:s0
 android.hardware.weaver::IWeaver                                u:object_r:hal_weaver_hwservice:s0
 android.hardware.wifi::IWifi                                    u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd                         u:object_r:hal_wifi_hostapd_hwservice:s0
 android.hardware.wifi.offload::IOffload                         u:object_r:hal_wifi_offload_hwservice:s0
 android.hardware.wifi.supplicant::ISupplicant                   u:object_r:hal_wifi_supplicant_hwservice:s0
 android.hidl.allocator::IAllocator                              u:object_r:hidl_allocator_hwservice:s0
diff --git a/private/system_server.te b/private/system_server.te
index 045acc6d1..8e07d3f22 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -213,6 +213,7 @@ hal_client_domain(system_server, hal_vibrator)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_weaver)
 hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
 hal_client_domain(system_server, hal_wifi_offload)
 hal_client_domain(system_server, hal_wifi_supplicant)
 
diff --git a/public/attributes b/public/attributes
index fed8def39..75679c73d 100644
--- a/public/attributes
+++ b/public/attributes
@@ -276,6 +276,7 @@ hal_attribute(vibrator);
 hal_attribute(vr);
 hal_attribute(weaver);
 hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
 hal_attribute(wifi_offload);
 hal_attribute(wifi_supplicant);
 
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index ce4b48cd0..017fcce7b 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -4,6 +4,7 @@ neverallow {
   halserverdomain
   -hal_bluetooth_server
   -hal_wifi_server
+  -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
 } self:global_capability_class_set { net_admin net_raw };
@@ -14,6 +15,7 @@ neverallow {
   halserverdomain
   -hal_tetheroffload_server
   -hal_wifi_server
+  -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
 } domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
new file mode 100644
index 000000000..03a554674
--- /dev/null
+++ b/public/hal_wifi_hostapd.te
@@ -0,0 +1,28 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
+allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/public/hwservice.te b/public/hwservice.te
index 012592452..2b745c0b3 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -45,6 +45,7 @@ type hal_vibrator_hwservice, hwservice_manager_type;
 type hal_vr_hwservice, hwservice_manager_type;
 type hal_weaver_hwservice, hwservice_manager_type;
 type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type;
 type hal_wifi_offload_hwservice, hwservice_manager_type;
 type hal_wifi_supplicant_hwservice, hwservice_manager_type;
 type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/su.te b/public/su.te
index c63ae0ad4..031294548 100644
--- a/public/su.te
+++ b/public/su.te
@@ -94,6 +94,7 @@ userdebug_or_eng(`
   typeattribute su hal_vr_client;
   typeattribute su hal_weaver_client;
   typeattribute su hal_wifi_client;
+  typeattribute su hal_wifi_hostapd_client;
   typeattribute su hal_wifi_offload_client;
   typeattribute su hal_wifi_supplicant_client;
 ')
diff --git a/vendor/file.te b/vendor/file.te
index 6bebfb502..4de29c3cd 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,4 @@
 # Socket types
 type hostapd_socket, file_type, data_file_type, core_data_file_type;
+# Hostapd conf files
+type hostapd_data_file, file_type, data_file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 90de40b5b..c2bd73c76 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -44,8 +44,9 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service  u:object_r:hal_wifi_offload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 
 #############################
@@ -58,4 +59,5 @@
 #############################
 # Data files
 #
+/data/vendor/wifi/hostapd(/.*)?                                               u:object_r:hostapd_data_file:s0
 /data/misc/wifi/hostapd(/.*)?   u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 000000000..5a3bbb6ee
--- /dev/null
+++ b/vendor/hal_wifi_hostapd_default.te
@@ -0,0 +1,11 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;
-- 
GitLab