sepolicy(hostapd): Add a HIDL interface for hostapd
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.
Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
diff --git a/vendor/file.te b/vendor/file.te
index 3350b1e..50238ac 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
-# Socket types
-type hostapd_socket, file_type, data_file_type;
+# Hostapd conf files
+type hostapd_data_file, file_type, data_file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b6028f4..712e1d4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -38,8 +38,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
-/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
@@ -52,4 +52,4 @@
#############################
# Data files
#
-/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
+/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 0000000..5a3bbb6
--- /dev/null
+++ b/vendor/hal_wifi_hostapd_default.te
@@ -0,0 +1,11 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
deleted file mode 100644
index 9f99378..0000000
--- a/vendor/hostapd.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# userspace wifi access points
-type hostapd, domain;
-type hostapd_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(hostapd)
-
-net_domain(hostapd)
-allow hostapd self:global_capability_class_set { net_admin net_raw };
-
-# hostapd learns about its network interface via sysfs.
-allow hostapd sysfs:file r_file_perms;
-# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
-allow hostapd sysfs:lnk_file r_file_perms;
-
-# Allow hostapd to access /proc/net/psched
-allow hostapd proc_net:file { getattr open read };
-
-# Various socket permissions.
-allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
-allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
-allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hostapd self:packet_socket create_socket_perms_no_ioctl;
-allow hostapd self:netlink_route_socket nlmsg_write;