commit d7b34a48ff17a7c2f7f938718525fa51c70c5686
author Roshan Pius <rpius@google.com> Fri Dec 22 15:03:15 2017 -0800
committer Jeffrey Vander Stoep <jeffv@google.com> Fri May 04 21:36:24 2018 +0000
tree 8faa2568ad3e7ebd69c575b04270a3b919d68698
parent 8c139df8456f3b0a169a2db63951e1de0ca2c08c

sepolicy(hostapd): Add a HIDL interface for hostapd

* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e860d34b3aff070a38bfd39caa74cade443)

vendor/file.te

diff --git a/vendor/file.te b/vendor/file.te
index 6bebfb5..4de29c3 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,4 @@
 # Socket types
 type hostapd_socket, file_type, data_file_type, core_data_file_type;
+# Hostapd conf files
+type hostapd_data_file, file_type, data_file_type;

vendor/file_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 90de40b..c2bd73c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -44,8 +44,9 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service  u:object_r:hal_wifi_offload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 
 #############################
@@ -58,4 +59,5 @@
 #############################
 # Data files
 #
+/data/vendor/wifi/hostapd(/.*)?                                               u:object_r:hostapd_data_file:s0
 /data/misc/wifi/hostapd(/.*)?   u:object_r:hostapd_socket:s0

vendor/hal_wifi_hostapd_default.te

diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 0000000..5a3bbb6
--- /dev/null
+++ b/vendor/hal_wifi_hostapd_default.te
@@ -0,0 +1,11 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;