commit 1086c7d71d7f614addf36c3923fc5ce96da2cdde
author Roshan Pius <rpius@google.com> Tue Oct 01 13:49:21 2019 -0700
committer Roshan Pius <rpius@google.com> Wed Oct 02 11:49:43 2019 -0700
tree 73c59e16044fe6859e7dbe27fee4d3824157f38f
parent cc3f9434366d3eea951bd3e82519195c7df45c35

wifi_stack: Move to network_stack process

The wifi stack APK will run inside the network_stack process. So, move
the sepolicy rules for wifi stack inside the network stack rules.

Bug: 135691051
Test: Manual tests
- manual connect to wifi networks
- Remove networks
Test: Will send for ACTS wifi regression testing
Change-Id: I9d5da80852f22fa1d12b2dbbc76b9e06c1275310
(cherry-picked from b83abf7af3df64e0d3c1b22548f2344b55aece28)

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ae33b71..1d31dbb 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -24,6 +24,4 @@
     vendor_apex_file
     vendor_boringssl_self_test
     virtual_ab_prop
-    wifi_stack
-    wifi_stack_service
-    wifi_stack_tmpfs))
+    wifi_stack_service))

private/logd.te

diff --git a/private/logd.te b/private/logd.te
index a9c65b0..f24cb80 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,5 +35,5 @@
   -shell
   userdebug_or_eng(`-su')
   -system_app
-  -wifi_stack
+  -network_stack
 } runtime_event_log_tags_file:file no_rw_file_perms;

private/network_stack.te

diff --git a/private/network_stack.te b/private/network_stack.te
index b214538..a969986 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,4 +1,4 @@
-# Networking service app
+############### Networking service app - NetworkStack.apk ##############
 typeattribute network_stack coredomain;
 
 app_domain(network_stack);
@@ -28,3 +28,41 @@
 allow network_stack radio_data_file:file create_file_perms;
 
 binder_call(network_stack, netd);
+
+############### Wifi Service app - WifiStack.apk ##############
+# Data file accesses.
+# Manage /data/misc/wifi & /data/misc_ce/<user_id>/wifi.
+allow network_stack wifi_data_file:dir create_dir_perms;
+allow network_stack wifi_data_file:file create_file_perms;
+
+# Property accesses
+userdebug_or_eng(`
+  set_prop(network_stack, wifi_log_prop)
+
+  # Allow network_stack to read dmesg
+  # TODO(b/137085509): Remove this.
+  allow network_stack kernel:system syslog_read;
+')
+
+# Binder IPC.
+allow network_stack network_score_service:service_manager find;
+allow network_stack network_stack_service:service_manager find;
+allow network_stack radio_service:service_manager find;
+allow network_stack wificond_service:service_manager find;
+allow network_stack wifiscanner_service:service_manager find;
+binder_call(network_stack, system_server)
+binder_call(network_stack, wificond)
+
+# HwBinder IPC.
+hal_client_domain(network_stack, hal_wifi)
+hal_client_domain(network_stack, hal_wifi_hostapd)
+hal_client_domain(network_stack, hal_wifi_supplicant)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow network_stack debugfs_tracing_instances:dir search;
+allow network_stack debugfs_wifi_tracing:dir search;
+allow network_stack debugfs_wifi_tracing:file rw_file_perms;
+
+# dumpstate support
+allow network_stack dumpstate:fd use;
+allow network_stack dumpstate:fifo_file write;

private/seapp_contexts

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 705e03d..c74bd2c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,9 +143,7 @@
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
-user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file

private/wifi_stack.te

diff --git a/private/wifi_stack.te b/private/wifi_stack.te
deleted file mode 100644
index 1f19faa..0000000
--- a/private/wifi_stack.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# Wifi Stack Mandatory
-typeattribute wifi_stack coredomain;
-
-app_domain(wifi_stack)
-net_domain(wifi_stack)
-
-# Data file accesses.
-# Manage /data/misc/wifi.
-allow wifi_stack wifi_data_file:dir create_dir_perms;
-allow wifi_stack wifi_data_file:file create_file_perms;
-allow wifi_stack radio_data_file:dir search;
-
-# Property accesses
-userdebug_or_eng(`
-  set_prop(wifi_stack, wifi_log_prop)
-
-  # Allow wifi_stack to read dmesg
-  # TODO(b/137085509): Remove this.
-  allow wifi_stack kernel:system syslog_read;
-')
-
-# ctl interface
-
-# Perform Binder IPC.
-binder_use(wifi_stack)
-allow wifi_stack app_api_service:service_manager find;
-allow wifi_stack network_score_service:service_manager find;
-allow wifi_stack netd_service:service_manager find;
-allow wifi_stack network_stack_service:service_manager find;
-allow wifi_stack radio_service:service_manager find;
-allow wifi_stack wificond_service:service_manager find;
-allow wifi_stack wifiscanner_service:service_manager find;
-binder_call(wifi_stack, system_server)
-binder_call(wifi_stack, wificond)
-binder_call(wifi_stack, network_stack)
-
-# Perform HwBinder IPC.
-hwbinder_use(wifi_stack)
-hal_client_domain(wifi_stack, hal_wifi)
-hal_client_domain(wifi_stack, hal_wifi_hostapd)
-hal_client_domain(wifi_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow wifi_stack debugfs_tracing_instances:dir search;
-allow wifi_stack debugfs_wifi_tracing:dir search;
-allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# Connectivity
-allow wifi_stack self:capability { net_bind_service net_admin net_raw };
-allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
-allow wifi_stack self:netlink_route_socket nlmsg_write;
-allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# dumpstate support
-allow wifi_stack dumpstate:fd use;
-allow wifi_stack dumpstate:fifo_file write;

public/app.te

diff --git a/public/app.te b/public/app.te
index 17b7852..ea3cf15 100644
--- a/public/app.te
+++ b/public/app.te
@@ -365,7 +365,7 @@
 
 # Superuser capabilities.
 # bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };
@@ -488,7 +488,7 @@
 neverallow appdomain
     systemkeys_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -wifi_stack }
+neverallow { appdomain -network_stack }
     wifi_data_file:dir_file_class_set *;
 neverallow appdomain
     dhcp_data_file:dir_file_class_set
@@ -512,7 +512,7 @@
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console };
 
 # SELinux is not an API for apps to use
 neverallow { appdomain -shell } *:security { compute_av check_context };

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index 3e48bd2..c15a03b 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,7 +141,6 @@
     -network_stack
     -netd
     -netutils_wrapper
-    -wifi_stack
 } netd_service:service_manager find;
 
 # only system_server, dumpstate and network stack app may find dnsresolver service
@@ -152,12 +151,11 @@
     -network_stack
     -netd
     -netutils_wrapper
-    -wifi_stack
 } dnsresolver_service:service_manager find;
 
 # apps may not interact with netd over binder.
-neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
-neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
 
 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
 # leaked to other processes. Make sure it never leaks.

public/wifi_stack.te

diff --git a/public/wifi_stack.te b/public/wifi_stack.te
deleted file mode 100644
index f1a26f5..0000000
--- a/public/wifi_stack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Wifi Stack Mandatory
-type wifi_stack, domain;

public/wificond.te

diff --git a/public/wificond.te b/public/wificond.te
index ae83846..e11d45d 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,7 +4,7 @@
 
 binder_use(wificond)
 binder_call(wificond, system_server)
-binder_call(wificond, wifi_stack)
+binder_call(wificond, network_stack)
 
 add_service(wificond, wificond_service)