SEPolicy to start hostapd via init
While here, remove a lot of extra permissions that we apparently
had because hostapd was inheriting fds from netd.
Bug: 30041118
Test: netd can request init to start/stop hostapd without denials.
Change-Id: Ia777497443a4226a201030eccb9dfc5a40f015dd
(cherry picked from commit 8a6c5f8553f6cc78237111daf22e59c572dde30c)
diff --git a/file.te b/file.te
index 693d513..ec4a18e 100644
--- a/file.te
+++ b/file.te
@@ -230,6 +230,8 @@
type uncrypt_socket, file_type;
type vold_socket, file_type;
type wpa_socket, file_type;
+# hostapd control interface.
+type hostapd_socket, file_type;
type zygote_socket, file_type;
type sap_uim_socket, file_type;
# UART (for GPS) control proc file
diff --git a/file_contexts b/file_contexts
index 7d55abe..9d5ee9f 100644
--- a/file_contexts
+++ b/file_contexts
@@ -283,7 +283,7 @@
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
+/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
diff --git a/hostapd.te b/hostapd.te
index 204a0d9..0b58fcb 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,27 +1,32 @@
# userspace wifi access points
-type hostapd, domain, domain_deprecated;
+type hostapd, domain;
type hostapd_exec, exec_type, file_type;
+init_daemon_domain(hostapd)
net_domain(hostapd)
+allow hostapd self:capability { net_admin net_raw };
-allow hostapd self:capability { net_admin net_raw setuid setgid };
+# hostapd learns about its network interface via sysfs.
+allow hostapd sysfs:file r_file_perms;
+# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
+allow hostapd sysfs:lnk_file r_file_perms;
+
+# Allow hostapd to access /proc/net/psched
+allow hostapd proc_net:file { getattr open read };
+
+# Various socket permissions.
allow hostapd self:netlink_socket create_socket_perms;
allow hostapd self:netlink_generic_socket create_socket_perms;
allow hostapd self:packet_socket create_socket_perms;
allow hostapd self:netlink_route_socket nlmsg_write;
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
allow hostapd wifi_data_file:file rw_file_perms;
-allow hostapd wifi_data_file:dir create_dir_perms;
-type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
-type_transition hostapd wifi_data_file:dir wpa_socket "hostapd";
-allow hostapd wpa_socket:dir create_dir_perms;
-allow hostapd wpa_socket:sock_file create_file_perms;
-allow hostapd netd:fd use;
-allow hostapd netd:udp_socket { read write };
-allow hostapd netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow hostapd netd:netlink_kobject_uevent_socket { read write };
-allow hostapd netd:netlink_nflog_socket { read write };
-allow hostapd netd:netlink_route_socket { read write };
-allow hostapd netd:unix_stream_socket { read write };
-allow hostapd netd:unix_dgram_socket { read write };
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd needs to bind to (and possibly create) its control interface socket.
+allow hostapd hostapd_socket:dir rw_dir_perms;
+# hostapd likes to chmod its socket directory.
+allow hostapd hostapd_socket:dir setattr;
+allow hostapd hostapd_socket:sock_file create_file_perms;
diff --git a/netd.te b/netd.te
index 98da012..5379ac1 100644
--- a/netd.te
+++ b/netd.te
@@ -50,10 +50,6 @@
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
-# Allow netd to spawn hostapd in it's own domain
-domain_auto_trans(netd, hostapd_exec, hostapd)
-allow netd hostapd:process signal;
-
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd dnsmasq:process signal;
@@ -80,6 +76,8 @@
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
+# Allow netd to start and stop hostapd via ctl.start/stop
+set_prop(netd, ctl_default_prop)
###
### Neverallow rules