platform_system_sepolicy/public/hal_wifi_hostapd.te

# HwBinder IPC from client to server
binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)

hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)

allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };

allow hal_wifi_hostapd_server sysfs_net:dir search;

# Allow hal_wifi_hostapd to access /proc/net/psched
allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };

# Various socket permissions.
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;

###
### neverallow rules
###

# hal_wifi_hostapd should not trust any data from sdcards
neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
neverallow hal_wifi_hostapd_server sdcard_type:file *;
sepolicy(hostapd): Add a HIDL interface for hostapd * Note on cherry-pick: Some of the dependent changes are not in AOSP. In order to keep hostapd running correctly in AOSP, I've modified this change to only include policy additions. Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947 Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947 (cherry picked from commit 5bca3e860d34b3aff070a38bfd39caa74cade443) 2017-12-23 00:03:15 +01:00			`# HwBinder IPC from client to server`
			`binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)`
			`binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)`

hal_attribute_hwservice_client drop '_client' Since this attribute just associates a hal_attribute with a given hwservice in the standard way. Bug: 80319537 Test: boot + sanity + test for denials Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e 2018-06-06 18:30:18 +02:00			`hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)`
sepolicy(hostapd): Add a HIDL interface for hostapd * Note on cherry-pick: Some of the dependent changes are not in AOSP. In order to keep hostapd running correctly in AOSP, I've modified this change to only include policy additions. Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947 Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947 (cherry picked from commit 5bca3e860d34b3aff070a38bfd39caa74cade443) 2017-12-23 00:03:15 +01:00
			`allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };`

			`allow hal_wifi_hostapd_server sysfs_net:dir search;`

			`# Allow hal_wifi_hostapd to access /proc/net/psched`
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e) 2018-04-10 21:47:48 +02:00			`allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };`
sepolicy(hostapd): Add a HIDL interface for hostapd * Note on cherry-pick: Some of the dependent changes are not in AOSP. In order to keep hostapd running correctly in AOSP, I've modified this change to only include policy additions. Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947 Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947 (cherry picked from commit 5bca3e860d34b3aff070a38bfd39caa74cade443) 2017-12-23 00:03:15 +01:00
			`# Various socket permissions.`
			`allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;`
			`allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;`
			`allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;`
			`allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;`
			`allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;`

			`###`
			`### neverallow rules`
			`###`

			`# hal_wifi_hostapd should not trust any data from sdcards`
			`neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;`
			`neverallow hal_wifi_hostapd_server sdcard_type:file *;`