sepolicy(hostapd): Add a HIDL interface for hostapd

* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e86)

private/compat/26.0/26.0.ignore.cil

@@ -53,6 +53,7 @@
     hal_secure_element_hwservice
     hal_tetheroffload_hwservice
     hal_usb_gadget_hwservice
+    hal_wifi_hostapd_hwservice
     hal_wifi_offload_hwservice
     incident_helper
     incident_helper_exec

private/hwservice_contexts

@@ -55,6 +55,7 @@ android.hardware.vibrator::IVibrator                            u:object_r:hal_v
 android.hardware.vr::IVr                                        u:object_r:hal_vr_hwservice:s0
 android.hardware.weaver::IWeaver                                u:object_r:hal_weaver_hwservice:s0
 android.hardware.wifi::IWifi                                    u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd                         u:object_r:hal_wifi_hostapd_hwservice:s0
 android.hardware.wifi.offload::IOffload                         u:object_r:hal_wifi_offload_hwservice:s0
 android.hardware.wifi.supplicant::ISupplicant                   u:object_r:hal_wifi_supplicant_hwservice:s0
 android.hidl.allocator::IAllocator                              u:object_r:hidl_allocator_hwservice:s0

private/system_server.te

@@ -213,6 +213,7 @@ hal_client_domain(system_server, hal_vibrator)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_weaver)
 hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
 hal_client_domain(system_server, hal_wifi_offload)
 hal_client_domain(system_server, hal_wifi_supplicant)
 

public/attributes

@@ -276,6 +276,7 @@ hal_attribute(vibrator);
 hal_attribute(vr);
 hal_attribute(weaver);
 hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
 hal_attribute(wifi_offload);
 hal_attribute(wifi_supplicant);
 

public/hal_neverallows.te

@@ -4,6 +4,7 @@ neverallow {
   halserverdomain
   -hal_bluetooth_server
   -hal_wifi_server
+  -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
 } self:global_capability_class_set { net_admin net_raw };
@@ -14,6 +15,7 @@ neverallow {
   halserverdomain
   -hal_tetheroffload_server
   -hal_wifi_server
+  -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
 } domain:{ tcp_socket udp_socket rawip_socket } *;

public/hal_wifi_hostapd.te

+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
+allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;

public/hwservice.te

@@ -45,6 +45,7 @@ type hal_vibrator_hwservice, hwservice_manager_type;
 type hal_vr_hwservice, hwservice_manager_type;
 type hal_weaver_hwservice, hwservice_manager_type;
 type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type;
 type hal_wifi_offload_hwservice, hwservice_manager_type;
 type hal_wifi_supplicant_hwservice, hwservice_manager_type;
 type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;

public/su.te

@@ -94,6 +94,7 @@ userdebug_or_eng(`
   typeattribute su hal_vr_client;
   typeattribute su hal_weaver_client;
   typeattribute su hal_wifi_client;
+  typeattribute su hal_wifi_hostapd_client;
   typeattribute su hal_wifi_offload_client;
   typeattribute su hal_wifi_supplicant_client;
 ')

vendor/file.te

 # Socket types
 type hostapd_socket, file_type, data_file_type, core_data_file_type;
+# Hostapd conf files
+type hostapd_data_file, file_type, data_file_type;

vendor/file_contexts

@@ -44,8 +44,9 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service  u:object_r:hal_wifi_offload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 
 #############################
@@ -58,4 +59,5 @@
 #############################
 # Data files
 #
+/data/vendor/wifi/hostapd(/.*)?                                               u:object_r:hostapd_data_file:s0
 /data/misc/wifi/hostapd(/.*)?   u:object_r:hostapd_socket:s0

vendor/hal_wifi_hostapd_default.te

+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;