sepolicy: Permission changes for new wifi mainline module
Move wifi services out of system_server into a separate APK/process.
Changes:
a) Created sepolicy for the new wifi apk.
b) The new APK will run with network_stack uid (eventually will be moved
to the same process).
Used 'audit2allow' tool to gather list of permissions required.
Note: The existing wifi related permissions in system_server is left
behind to allow the module to be loaded into system_server or
network_stack process depending on device configuration.
Bug: 113174748
Test: Device boots up and able to make wifi connection.
Test: Tested hotspot functionality.
Test: Ran WifiManagerTest & WifiSoftApTest ACTS tests locally.
Test: Will send for wifi regression tests.
Change-Id: Id19643a235bf0c28238f2729926b893ac2025b97
(cherry-picked from c7aa90091e6bec70a31a643cc4519a9a86fb0b38)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 225b582..30437ee 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -10,4 +10,7 @@
device_config_sys_traced_prop
runtime_apex_dir
system_ashmem_hwservice
- vendor_apex_file))
+ vendor_apex_file
+ wifi_stack
+ wifi_stack_service
+ wifi_stack_tmpfs))
diff --git a/private/file_contexts b/private/file_contexts
index 6975e7c..60b569d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -507,6 +507,7 @@
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
diff --git a/private/logd.te b/private/logd.te
index ca92e20..a9c65b0 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,4 +35,5 @@
-shell
userdebug_or_eng(`-su')
-system_app
+ -wifi_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ad8a76c..705e03d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,6 +143,8 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
+user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 7d6cb47..49bdb29 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -219,5 +219,6 @@
wificond u:object_r:wificond_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
+wifi_stack u:object_r:wifi_stack_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 348d3ce..e7f27b9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -21,6 +21,7 @@
rollback_data_file
storaged_data_file
vold_data_file
+ wifi_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
backup_data_file
@@ -31,6 +32,7 @@
storaged_data_file
system_data_file
vold_data_file
+ wifi_data_file
}:file { getattr unlink };
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/wifi_stack.te b/private/wifi_stack.te
new file mode 100644
index 0000000..1f19faa
--- /dev/null
+++ b/private/wifi_stack.te
@@ -0,0 +1,56 @@
+# Wifi Stack Mandatory
+typeattribute wifi_stack coredomain;
+
+app_domain(wifi_stack)
+net_domain(wifi_stack)
+
+# Data file accesses.
+# Manage /data/misc/wifi.
+allow wifi_stack wifi_data_file:dir create_dir_perms;
+allow wifi_stack wifi_data_file:file create_file_perms;
+allow wifi_stack radio_data_file:dir search;
+
+# Property accesses
+userdebug_or_eng(`
+ set_prop(wifi_stack, wifi_log_prop)
+
+ # Allow wifi_stack to read dmesg
+ # TODO(b/137085509): Remove this.
+ allow wifi_stack kernel:system syslog_read;
+')
+
+# ctl interface
+
+# Perform Binder IPC.
+binder_use(wifi_stack)
+allow wifi_stack app_api_service:service_manager find;
+allow wifi_stack network_score_service:service_manager find;
+allow wifi_stack netd_service:service_manager find;
+allow wifi_stack network_stack_service:service_manager find;
+allow wifi_stack radio_service:service_manager find;
+allow wifi_stack wificond_service:service_manager find;
+allow wifi_stack wifiscanner_service:service_manager find;
+binder_call(wifi_stack, system_server)
+binder_call(wifi_stack, wificond)
+binder_call(wifi_stack, network_stack)
+
+# Perform HwBinder IPC.
+hwbinder_use(wifi_stack)
+hal_client_domain(wifi_stack, hal_wifi)
+hal_client_domain(wifi_stack, hal_wifi_hostapd)
+hal_client_domain(wifi_stack, hal_wifi_supplicant)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow wifi_stack debugfs_tracing_instances:dir search;
+allow wifi_stack debugfs_wifi_tracing:dir search;
+allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
+
+# Connectivity
+allow wifi_stack self:capability { net_bind_service net_admin net_raw };
+allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
+allow wifi_stack self:netlink_route_socket nlmsg_write;
+allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# dumpstate support
+allow wifi_stack dumpstate:fd use;
+allow wifi_stack dumpstate:fifo_file write;
diff --git a/public/app.te b/public/app.te
index 36dd5e3..b523ad6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -367,8 +367,8 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
@@ -491,9 +491,8 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -wifi_stack }
+ wifi_data_file:dir_file_class_set *;
neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
@@ -516,7 +515,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/netd.te b/public/netd.te
index c15a03b..3e48bd2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,6 +141,7 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -151,11 +152,12 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} dnsresolver_service:service_manager find;
# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
+neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/service.te b/public/service.te
index 649dfa7..0a50eb7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -182,6 +182,7 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wifi_stack_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/wifi_stack.te b/public/wifi_stack.te
new file mode 100644
index 0000000..f1a26f5
--- /dev/null
+++ b/public/wifi_stack.te
@@ -0,0 +1,2 @@
+# Wifi Stack Mandatory
+type wifi_stack, domain;
diff --git a/public/wificond.te b/public/wificond.te
index 656abad..ae83846 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, wifi_stack)
add_service(wificond, wificond_service)