sepolicy(hostapd): Add a HIDL interface for hostapd Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947

commit: 5bca3e860d34b3aff070a38bfd39caa74cade443 [log] [tgz]
author: Roshan Pius <rpius@google.com> Fri Dec 22 15:03:15 2017 -0800
committer: Roshan Pius <rpius@google.com> Fri Jan 12 14:05:38 2018 -0800
tree: 9830451f706dbe9c550599887d1caf2cd88ef75f
parent: a4e83bc5f36d908b19aff88eb2a6829ff6053134 [diff]
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 5b30be0..aad4bee 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil

@@ -34,6 +34,7 @@
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
     hal_tetheroffload_hwservice
+    hal_wifi_hostapd_hwservice
     hal_wifi_offload_hwservice
     kmsg_debug_device
     last_boot_reason_prop

diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index a98c68a..316c34c 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts

@@ -47,6 +47,7 @@
 android.hardware.vr::IVr                                        u:object_r:hal_vr_hwservice:s0
 android.hardware.weaver::IWeaver                                u:object_r:hal_weaver_hwservice:s0
 android.hardware.wifi::IWifi                                    u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd                         u:object_r:hal_wifi_hostapd_hwservice:s0
 android.hardware.wifi.offload::IOffload                         u:object_r:hal_wifi_offload_hwservice:s0
 android.hardware.wifi.supplicant::ISupplicant                   u:object_r:hal_wifi_supplicant_hwservice:s0
 android.hidl.allocator::IAllocator                              u:object_r:hidl_allocator_hwservice:s0

diff --git a/private/system_server.te b/private/system_server.te
index 973b017..48ae95d 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -202,6 +202,7 @@
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_weaver)
 hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
 hal_client_domain(system_server, hal_wifi_offload)
 hal_client_domain(system_server, hal_wifi_supplicant)
 

diff --git a/public/attributes b/public/attributes
index c25f1eb..3c3af3c 100644
--- a/public/attributes
+++ b/public/attributes

@@ -233,6 +233,7 @@
 hal_attribute(vr);
 hal_attribute(weaver);
 hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
 hal_attribute(wifi_offload);
 hal_attribute(wifi_supplicant);
 

diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index c866bae..1ab28c5 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te

@@ -4,6 +4,7 @@
   halserverdomain
   -hal_bluetooth_server
   -hal_wifi_server
+  -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -rild
 } self:global_capability_class_set { net_admin net_raw };
@@ -14,6 +15,7 @@
   halserverdomain
   -hal_tetheroffload_server
   -hal_wifi_server
+  -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -rild
 } domain:{ tcp_socket udp_socket rawip_socket } *;

diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
new file mode 100644
index 0000000..03a5546
--- /dev/null
+++ b/public/hal_wifi_hostapd.te

@@ -0,0 +1,28 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
+allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;

diff --git a/public/hwservice.te b/public/hwservice.te
index 19a7205..6eb816e 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te

@@ -41,6 +41,7 @@
 type hal_vr_hwservice, hwservice_manager_type;
 type hal_weaver_hwservice, hwservice_manager_type;
 type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type;
 type hal_wifi_offload_hwservice, hwservice_manager_type;
 type hal_wifi_supplicant_hwservice, hwservice_manager_type;
 type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;

diff --git a/public/su.te b/public/su.te
index 88065f6..a893026 100644
--- a/public/su.te
+++ b/public/su.te

@@ -91,6 +91,7 @@
   typeattribute su hal_vr_client;
   typeattribute su hal_weaver_client;
   typeattribute su hal_wifi_client;
+  typeattribute su hal_wifi_hostapd_client;
   typeattribute su hal_wifi_offload_client;
   typeattribute su hal_wifi_supplicant_client;
 ')

diff --git a/vendor/file.te b/vendor/file.te
index 3350b1e..50238ac 100644
--- a/vendor/file.te
+++ b/vendor/file.te

@@ -1,2 +1,2 @@
-# Socket types
-type hostapd_socket, file_type, data_file_type;
+# Hostapd conf files
+type hostapd_data_file, file_type, data_file_type;

diff --git a/vendor/file_contexts b/vendor/file_contexts
index b6028f4..712e1d4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -38,8 +38,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service  u:object_r:hal_wifi_offload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
-/(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 
 #############################
@@ -52,4 +52,4 @@
 #############################
 # Data files
 #
-/data/misc/wifi/hostapd(/.*)?   u:object_r:hostapd_socket:s0
+/data/vendor/wifi/hostapd(/.*)?                                               u:object_r:hostapd_data_file:s0

diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 0000000..5a3bbb6
--- /dev/null
+++ b/vendor/hal_wifi_hostapd_default.te

@@ -0,0 +1,11 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;

diff --git a/vendor/hostapd.te b/vendor/hostapd.te
deleted file mode 100644
index 9f99378..0000000
--- a/vendor/hostapd.te
+++ /dev/null

@@ -1,23 +0,0 @@
-# userspace wifi access points
-type hostapd, domain;
-type hostapd_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(hostapd)
-
-net_domain(hostapd)
-allow hostapd self:global_capability_class_set { net_admin net_raw };
-
-# hostapd learns about its network interface via sysfs.
-allow hostapd sysfs:file r_file_perms;
-# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
-allow hostapd sysfs:lnk_file r_file_perms;
-
-# Allow hostapd to access /proc/net/psched
-allow hostapd proc_net:file { getattr open read };
-
-# Various socket permissions.
-allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
-allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
-allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hostapd self:packet_socket create_socket_perms_no_ioctl;
-allow hostapd self:netlink_route_socket nlmsg_write;
commit	5bca3e860d34b3aff070a38bfd39caa74cade443	[log] [tgz]
author	Roshan Pius <rpius@google.com>	Fri Dec 22 15:03:15 2017 -0800
committer	Roshan Pius <rpius@google.com>	Fri Jan 12 14:05:38 2018 -0800
tree	9830451f706dbe9c550599887d1caf2cd88ef75f
parent	a4e83bc5f36d908b19aff88eb2a6829ff6053134 [diff]