Bug: 33239267
Test: compile, run wifi, no selinux complaint for wificond
Change-Id: I9b3e874381ac6cd7c6ff1058cc4f313bd85481b8

Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

We're going to be using Android framework directly to invoke Wifi HIDL
calls. So, change permissions appropriately.

Bug: 33398154
Test: Verfied that framework is able to make HIDL calls using
go/aog/310610.

Change-Id: I4d0d88961753ad73f3876aec58b26b89486cc02a

Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy'
to conform with HIDL style guide.

Denials:
01-01 21:55:23.896  2865  2865 I android.hardware.wifi@1.0-service:
wifi_hal_legacy is starting up...
01-01 21:55:23.898  2865  2865 W android.hardware.wifi@1.0-service:
/odm/lib64/hw/ does not exit.
01-01 21:55:23.899  2865  2865 F android.hardware.wifi@1.0-service:
service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL
01-01 21:55:23.899  2865  2865 F libc    : Fatal signal 6 (SIGABRT),
code -6 in tid 2865 (android.hardwar)
01-01 21:55:23.901   377   377 W         : debuggerd: handling request:
pid=2865 uid=2000 gid=2000 tid=2865
01-01 21:55:23.907  2867  2867 E         : debuggerd: Unable to connect
to activity manager (connect failed: Connection refused)
01-01 21:55:23.908  2867  2867 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 21:55:23.908  2867  2867 F DEBUG   : Build fingerprint:
'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys'
01-01 21:55:23.908  2867  2867 F DEBUG   : Revision: '0'
01-01 21:55:23.908  2867  2867 F DEBUG   : ABI: 'arm64'
01-01 21:55:23.908  2867  2867 F DEBUG   : pid: 2865, tid: 2865, name:
android.hardwar  >>> /system/bin/hw/android.hardware.wifi@1.0-service
<<<
01-01 21:55:23.909  2867  2867 F DEBUG   : signal 6 (SIGABRT), code -6
(SI_TKILL), fault addr --------
01-01 21:55:23.910  2867  2867 F DEBUG   : Abort message:
'service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL'

Bug: 31821133
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813

Modify permissions for wpa_supplicant to use hwbinder (for HIDL),
instead of binder.

Denials:
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0

BUG: 31365276
Test: Compiled and ensured that the selinux denials are no longer
present in logs.

Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=binder permissive=1

avc: denied { bind } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { call } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { getattr } for path="/proc/4355/net/psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { ioctl } for path="socket:[28193]" dev="sockfs" ino=28193 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { ioctl } for path="socket:[34821]" dev="sockfs" ino=34821 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { net_raw } for capability=13 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { open } for path="/proc/2754/net/psched" dev="proc" ino=4026535377 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/class/net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { setopt } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { transfer } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { write } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=0
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=0
avc: denied { read } for name="net" dev="sysfs" ino=9862 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=0

Bug: 31352200
Test: can boot angler & bullhead and start/stop HAL repeatedly
Change-Id: Ide93730d362fb93602742fc10b22fff6e7d56f6b

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe

Bug: 31246864

Change-Id: I8319e632b3be1e558dfc550453b8298914c89064
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

Newer kernels apparently introduce a new SELinux label
"netlink_generic_socket".

AOSP is missing some patches for ioctl whitelisting and
it was suggested we add unpriv_socket_ioctls as a stopgap.

Bug: 31226503
Change-Id: Ie4dd499925f74747c0247e5d7ad0de0f673b5ed2

wificond will now change user/group to wifi/wifi after
taking control of a particular path in the sysfs.

Bug: 29870863
Change-Id: I9ccb23f60a66d6850f3969c364288f8850044fed
Test: wificond unit and integration tests pass
(cherry picked from commit 8a04a313)

This is apparently a privileged ioctl.  Being able to do this allows us
to no longer kill hostapd with SIGTERM, since we can cleanup after hard
stops.

Bug: 31023120
Test: wificond unit and integration tests pass

Change-Id: Icdf2469d403f420c742871f54b9fb17432805991
(cherry picked from commit ca7b04ba)

system_server communicates with wpa_supplicant via various control
sockets.  Allow wificond to unlink these sockets after killing
wpa_supplicant.

Bug: 30666540
Change-Id: Ic1419a587f066c36723c24518952025834959535
(cherry picked from commit ba96cd1c)

Stopping hostapd abruptly with SIGKILL can sometimes leave the driver
in a poor state.  Long term, we should pro-actively go in and clean up
the driver.  In the short term, it helps tremendously to send SIGTERM
and give hostapd time to clean itself up.

Bug: 30311493
Test: With patches in this series, wificond can cleanly start and stop
      hostapd in integration tests.

Change-Id: Ic770c2fb1a1b636fced4620fe6e24d1c8dcdfeb8
(cherry picked from commit 762cb7c4)

Bug: 30292103
Change-Id: I433f2b8cc912b42bf026f6e908fd458a07c41fc2
Test: Integration tests reveal wificond can start/stop hostapd.
(cherry picked from commit 1faa9c55)

We need the ability to set file permissions, create files, write
files, chown files.

Test: integration tests that start/stop hostapd and write its config
      file via wificond pass without SELinux denials.
Bug: 30040724

Change-Id: Iee15fb36a6a4a89009d4b45281060379d70cd53c
(cherry picked from commit f83da142)

 wificond: type=1400 audit(0.0:43): avc: denied { create } for
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

 wificond: type=1400 audit(0.0:44):
 avc: denied { setopt } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:45):
 avc: denied { net_admin } for capability=12 scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=capability permissive=1

 wificond: type=1400 audit(0.0:46):
 avc: denied { bind } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:47):
 avc: denied { write } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:48):
 avc: denied { read } for path="socket:[35892]" dev="sockfs" ino=35892
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

TEST=compile and run

Change-Id: I5e1befabca7388d5b2145f49462e5cff872d9f43
(cherry picked from commit 781cfd82)

avc: denied { create } for scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0

avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=capability permissive=0

avc: denied { read } for name="psched" dev="proc" ino=4026535377
scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file
permissive=0

Test: fixes above avc denials
Bug: 29579539

Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b
(cherry picked from commit b6a6561d)

wificond would like to be able to set WiFi related properties
without access to the rest of the system properties.  Today,
this only involves marking the driver as loaded or unloaded.

avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Bug: 29579539
Test: No avc denials related to system properties across
      various WiFi events.

Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f
(cherry picked from commit 1ebfdd6a)

avc: denied { write } for name="fwpath" dev="sysfs" ino=6863
scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0
tclass=file permissive=0

Test: wificond and netd can write to this path, wifi works
Test: `runtest frameworks-wifi` passes

Bug: 29579539

Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994
(cherry picked from commit 7d13dd80)

Add the necessary permissions for |wpa_supplicant| to expose a binder
interface. This binder interface will be used by the newly added
|wificond| service (and potentially system_server).
|wpa_supplicant| also needs to invoke binder callbacks on |wificond|.

Changes in the CL:
1. Allow |wpa_supplicant| to register binder service.
2. Allow |wpa_supplicant| to invoke binder calls on |wificond|.
3. Allow |wificond| to invoke binder calls on |wpa_supplicant|

Denials:
06-30 08:14:42.788   400   400 E SELinux : avc:  denied  { add } for
service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=1

BUG:29877467
TEST: Compiled and ensured that the selinux denials are no longer
present in logs.
TEST: Ran integration test to find the service.

Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662
(cherry picked from commit 18883a93)

This allows wificond to publish binder interface using
service manager.

Denial warnings:

wificond: type=1400 audit(0.0:8): avc:
denied { call } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

wificond: type=1400 audit(0.0:9): avc:
denied { transfer } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

servicemanager: type=1400
audit(0.0:10): avc: denied { search } for name="6085" dev="proc"
ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=dir permissive=1

servicemanager: type=1400
audit(0.0:11): avc: denied { read } for name="current" dev="proc"
ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=file permissive=1

servicemanager: type=1400
audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current"
dev="proc" ino=40641 scontext=u:r:servicemanager:s0
tcontext=u:r:wificond:s0 tclass=file permissive=1

servicemanager: type=1400
audit(0.0:13): avc: denied { getattr } for
scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process
permissive=1

SELinux : avc:  denied  { add } for
service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0
tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1

BUG=28867093
TEST=compile
TEST=use a client to call wificond service through binder

Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f
(cherry picked from commit d56bcb1c)

This sepolicy change allows wificond to run as a deamon.

BUG=28865186
TEST=compile
TEST=compile with ag/1059605
  Add wificond to '/target/product/base.mk'
  Adb shell ps -A | grep 'wificond'

Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d
(cherry picked from commit 4ef44a61)

wificond will now change user/group to wifi/wifi after
taking control of a particular path in the sysfs.

Bug: 29870863
Change-Id: I9ccb23f60a66d6850f3969c364288f8850044fed
Test: wificond unit and integration tests pass

This is apparently a privileged ioctl.  Being able to do this allows us
to no longer kill hostapd with SIGTERM, since we can cleanup after hard
stops.

Bug: 31023120
Test: wificond unit and integration tests pass

Change-Id: Icdf2469d403f420c742871f54b9fb17432805991

system_server communicates with wpa_supplicant via various control
sockets.  Allow wificond to unlink these sockets after killing
wpa_supplicant.

Bug: 30666540
Change-Id: Ic1419a587f066c36723c24518952025834959535

Stopping hostapd abruptly with SIGKILL can sometimes leave the driver
in a poor state.  Long term, we should pro-actively go in and clean up
the driver.  In the short term, it helps tremendously to send SIGTERM
and give hostapd time to clean itself up.

Bug: 30311493
Test: With patches in this series, wificond can cleanly start and stop
      hostapd in integration tests.

Change-Id: Ic770c2fb1a1b636fced4620fe6e24d1c8dcdfeb8

Bug: 30292103
Change-Id: I433f2b8cc912b42bf026f6e908fd458a07c41fc2
Test: Integration tests reveal wificond can start/stop hostapd.

We need the ability to set file permissions, create files, write
files, chown files.

Test: integration tests that start/stop hostapd and write its config
      file via wificond pass without SELinux denials.
Bug: 30040724

Change-Id: Iee15fb36a6a4a89009d4b45281060379d70cd53c

 wificond: type=1400 audit(0.0:43): avc: denied { create } for
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

 wificond: type=1400 audit(0.0:44):
 avc: denied { setopt } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:45):
 avc: denied { net_admin } for capability=12 scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=capability permissive=1

 wificond: type=1400 audit(0.0:46):
 avc: denied { bind } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:47):
 avc: denied { write } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:48):
 avc: denied { read } for path="socket:[35892]" dev="sockfs" ino=35892
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

TEST=compile and run

Change-Id: I5e1befabca7388d5b2145f49462e5cff872d9f43

avc: denied { create } for scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0

avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=capability permissive=0

avc: denied { read } for name="psched" dev="proc" ino=4026535377
scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file
permissive=0

Test: fixes above avc denials
Bug: 29579539

Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b

wificond would like to be able to set WiFi related properties
without access to the rest of the system properties.  Today,
this only involves marking the driver as loaded or unloaded.

avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Bug: 29579539
Test: No avc denials related to system properties across
      various WiFi events.

Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f

avc: denied { write } for name="fwpath" dev="sysfs" ino=6863
scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0
tclass=file permissive=0

Test: wificond and netd can write to this path, wifi works
Test: `runtest frameworks-wifi` passes

Bug: 29579539

Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994

Add the necessary permissions for |wpa_supplicant| to expose a binder
interface. This binder interface will be used by the newly added
|wificond| service (and potentially system_server).
|wpa_supplicant| also needs to invoke binder callbacks on |wificond|.

Changes in the CL:
1. Allow |wpa_supplicant| to register binder service.
2. Allow |wpa_supplicant| to invoke binder calls on |wificond|.
3. Allow |wificond| to invoke binder calls on |wpa_supplicant|

Denials:
06-30 08:14:42.788   400   400 E SELinux : avc:  denied  { add } for
service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=1

BUG:29877467
TEST: Compiled and ensured that the selinux denials are no longer
present in logs.
TEST: Ran integration test to find the service.

Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662

This allows wificond to publish binder interface using
service manager.

Denial warnings:

wificond: type=1400 audit(0.0:8): avc:
denied { call } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

wificond: type=1400 audit(0.0:9): avc:
denied { transfer } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

servicemanager: type=1400
audit(0.0:10): avc: denied { search } for name="6085" dev="proc"
ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=dir permissive=1

servicemanager: type=1400
audit(0.0:11): avc: denied { read } for name="current" dev="proc"
ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=file permissive=1

servicemanager: type=1400
audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current"
dev="proc" ino=40641 scontext=u:r:servicemanager:s0
tcontext=u:r:wificond:s0 tclass=file permissive=1

servicemanager: type=1400
audit(0.0:13): avc: denied { getattr } for
scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process
permissive=1

SELinux : avc:  denied  { add } for
service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0
tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1

BUG=28867093
TEST=compile
TEST=use a client to call wificond service through binder

Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f

This sepolicy change allows wificond to run as a deamon.

BUG=28865186
TEST=compile
TEST=compile with ag/1059605
  Add wificond to '/target/product/base.mk'
  Adb shell ps -A | grep 'wificond'

Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d