sepolicy: Permission changes for new wifi mainline module
Move wifi services out of system_server into a separate APK/process.
Changes:
a) Created sepolicy for the new wifi apk.
b) The new APK will run with network_stack uid (eventually will be moved
to the same process).
Used 'audit2allow' tool to gather list of permissions required.
Note: The existing wifi related permissions in system_server is left
behind to allow the module to be loaded into system_server or
network_stack process depending on device configuration.
Bug: 113174748
Test: Device boots up and able to make wifi connection.
Test: Tested hotspot functionality.
Test: Ran WifiManagerTest & WifiSoftApTest ACTS tests locally.
Test: Will send for wifi regression tests.
Change-Id: Id19643a235bf0c28238f2729926b893ac2025b97
(cherry-picked from c7aa90091e6bec70a31a643cc4519a9a86fb0b38)
diff --git a/public/app.te b/public/app.te
index 36dd5e3..b523ad6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -367,8 +367,8 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
@@ -491,9 +491,8 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -wifi_stack }
+ wifi_data_file:dir_file_class_set *;
neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
@@ -516,7 +515,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/netd.te b/public/netd.te
index c15a03b..3e48bd2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,6 +141,7 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -151,11 +152,12 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} dnsresolver_service:service_manager find;
# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
+neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/service.te b/public/service.te
index 649dfa7..0a50eb7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -182,6 +182,7 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wifi_stack_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/wifi_stack.te b/public/wifi_stack.te
new file mode 100644
index 0000000..f1a26f5
--- /dev/null
+++ b/public/wifi_stack.te
@@ -0,0 +1,2 @@
+# Wifi Stack Mandatory
+type wifi_stack, domain;
diff --git a/public/wificond.te b/public/wificond.te
index 656abad..ae83846 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, wifi_stack)
add_service(wificond, wificond_service)