commit df794b45901a8565b0b38717b7f82d69cfe43aee
author Keith Mok <keithmok@google.com> Fri Nov 03 20:27:43 2023 +0000
committer Keith Mok <keithmok@google.com> Fri Nov 03 21:29:48 2023 +0000
tree 88d7c01a6a9010df546886c861b5cfea6fe2db27
parent 70b7a8c76de69eaa1146aa73e0c21f11d8eb21c3

SEPolicy for AIDL MACSEC HAL

Bug: 254108688
Test: AIDL MACSEC HAL VTS
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fba6480fa08001a36faf524d0a6952f29d916a6b)
Change-Id: I5ccaa24c6b9600713bbc0e4c523822567b64c662

vendor/file_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5bae6c5..28613c9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -76,6 +76,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy     u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example     u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service         u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service              u:object_r:hal_macsec_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service   u:object_r:mediacodec_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example    u:object_r:hal_memtrack_default_exec:s0
@@ -126,6 +127,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant_macsec                          u:object_r:wpa_supplicant_macsec_exec:s0
 /(vendor|system/vendor)/bin/install-recovery\.sh                              u:object_r:vendor_install_recovery_exec:s0
 /(vendor|system/vendor)/bin/ot-rcp                                            u:object_r:ot_rcp_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0

vendor/hal_macsec_default.te

diff --git a/vendor/hal_macsec_default.te b/vendor/hal_macsec_default.te
new file mode 100644
index 0000000..19b3d16
--- /dev/null
+++ b/vendor/hal_macsec_default.te
@@ -0,0 +1,8 @@
+type hal_macsec_default, domain;
+hal_server_domain(hal_macsec_default, hal_macsec)
+
+type hal_macsec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_macsec_default)
+
+# Allow registering with service manager.
+binder_call(hal_macsec_default, servicemanager)

vendor/wpa_supplicant_macsec.te

diff --git a/vendor/wpa_supplicant_macsec.te b/vendor/wpa_supplicant_macsec.te
new file mode 100644
index 0000000..1b90ac7
--- /dev/null
+++ b/vendor/wpa_supplicant_macsec.te
@@ -0,0 +1,28 @@
+# wpa supplicant macsec or equivalent
+type wpa_supplicant_macsec, domain;
+type wpa_supplicant_macsec_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(wpa_supplicant_macsec)
+
+net_domain(wpa_supplicant_macsec)
+
+# Allow wpa_supplicant to configure nl80211
+allow wpa_supplicant_macsec proc_net_type:file write;
+
+# in addition to ioctls allowlisted for all domains, grant wpa_supplicant_macsec priv_sock_ioctls.
+allowxperm wpa_supplicant_macsec self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(wpa_supplicant_macsec, sysfs_type)
+r_dir_file(wpa_supplicant_macsec, proc_net_type)
+
+allow wpa_supplicant_macsec self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow wpa_supplicant_macsec cgroup:dir create_dir_perms;
+allow wpa_supplicant_macsec cgroup_v2:dir create_dir_perms;
+allow wpa_supplicant_macsec self:netlink_route_socket nlmsg_write;
+allow wpa_supplicant_macsec self:netlink_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:packet_socket create_socket_perms;
+allowxperm wpa_supplicant_macsec self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+binder_use(wpa_supplicant_macsec)
+hal_client_domain(wpa_supplicant_macsec, hal_macsec)
+