From e58a8de5e742a1ff854328121c0891505cdbb91f Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 26 Jun 2017 22:06:20 -0700
Subject: [PATCH] hal_tetheroffload: Grant permissions

avc: denied { read write } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { setopt } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { getattr } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { create } for scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket

Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
  ...
  Log:
    ...
    06-28 11:46:58.841 - SET master tether settings: ON
    06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
    06-28 11:46:58.853   816   947 I IPAHALService: IPACM was provided two FDs (18, 19)
    06-28 11:46:58.853  1200  1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I0c63bd2de334b4ca40e54efb9df4ed4904667e21
---
 private/system_server.te            | 3 +++
 public/hal_tetheroffload.te         | 5 +++++
 public/hwservice.te                 | 1 +
 vendor/hal_tetheroffload_default.te | 5 +++++
 4 files changed, 14 insertions(+)
 create mode 100644 vendor/hal_tetheroffload_default.te

diff --git a/private/system_server.te b/private/system_server.te
index 3c3f82d97..f06592a62 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -79,6 +79,9 @@ allow system_server kernel:system module_request;
 # Allow alarmtimers to be set
 allow system_server self:capability2 wake_alarm;
 
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index a4c21fcdf..48d67a29b 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -1,3 +1,8 @@
 ## HwBinder IPC from client to server, and callbacks
 binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
 binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hwservice.te b/public/hwservice.te
index c3f30771b..bb2c668d7 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -28,6 +28,7 @@ type hal_power_hwservice, hwservice_manager_type;
 type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_sensors_hwservice, hwservice_manager_type;
 type hal_telephony_hwservice, hwservice_manager_type;
+type hal_tetheroffload_hwservice, hwservice_manager_type;
 type hal_thermal_hwservice, hwservice_manager_type;
 type hal_tv_cec_hwservice, hwservice_manager_type;
 type hal_tv_input_hwservice, hwservice_manager_type;
diff --git a/vendor/hal_tetheroffload_default.te b/vendor/hal_tetheroffload_default.te
new file mode 100644
index 000000000..03c542b28
--- /dev/null
+++ b/vendor/hal_tetheroffload_default.te
@@ -0,0 +1,5 @@
+type hal_tetheroffload_default, domain;
+hal_server_domain(hal_tetheroffload_default, hal_tetheroffload)
+
+type hal_tetheroffload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tetheroffload_default)
-- 
GitLab