SEPolicy for Netlink Interceptor
Make Netlink Interceptor work when SELinux is enforcing
Test: Netlink Interceptor HAL comes up and works
Bug: 194683902
Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
diff --git a/public/attributes b/public/attributes
index 32fe98c..314b278 100644
--- a/public/attributes
+++ b/public/attributes
@@ -355,6 +355,7 @@
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
+hal_attribute(nlinterceptor);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 3254f11..0d6554b 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -9,6 +9,7 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -27,6 +28,7 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -38,6 +40,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_nlinterceptor_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
new file mode 100644
index 0000000..2076de8
--- /dev/null
+++ b/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
diff --git a/public/service.te b/public/service.te
index a821941..97d697e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -280,6 +280,7 @@
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbc..98db0d7 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@
binder_call(wificond, keystore)
add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;