Merge "SEPolicy for Netlink Interceptor"

private/compat/31.0/31.0.ignore.cil

@@ -20,6 +20,7 @@
     hal_uwb_service
     hal_uwb_vendor_service
     hal_wifi_hostapd_service
+    hal_nlinterceptor_service
     hypervisor_prop
     locale_service
     power_stats_service

private/service_contexts

@@ -10,6 +10,7 @@ android.hardware.health.IHealth/default                              u:object_r:
 android.hardware.identity.IIdentityCredentialStore/default           u:object_r:hal_identity_service:s0
 android.hardware.light.ILights/default                               u:object_r:hal_light_service:s0
 android.hardware.memtrack.IMemtrack/default                          u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default              u:object_r:hal_nlinterceptor_service:s0
 android.hardware.oemlock.IOemLock/default                            u:object_r:hal_oemlock_service:s0
 android.hardware.power.IPower/default                                u:object_r:hal_power_service:s0
 android.hardware.power.stats.IPowerStats/default                     u:object_r:hal_power_stats_service:s0

public/attributes

@@ -354,6 +354,7 @@ hal_attribute(lowpan);
 hal_attribute(memtrack);
 hal_attribute(neuralnetworks);
 hal_attribute(nfc);
+hal_attribute(nlinterceptor);
 hal_attribute(oemlock);
 hal_attribute(omx);
 hal_attribute(power);

public/hal_neverallows.te

@@ -11,6 +11,7 @@ neverallow {
   -hal_uwb_server
   # TODO(b/196225233): Remove hal_uwb_vendor_server
   -hal_uwb_vendor_server
+  -hal_nlinterceptor_server
 } self:global_capability_class_set { net_admin net_raw };
 
 # Unless a HAL's job is to communicate over the network, or control network
@@ -31,6 +32,7 @@ neverallow {
   -hal_uwb_server
   # TODO(b/196225233): Remove hal_uwb_vendor_server
   -hal_uwb_vendor_server
+  -hal_nlinterceptor_server
 } domain:{ udp_socket rawip_socket } *;
 
 neverallow {
@@ -42,6 +44,7 @@ neverallow {
   -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
+  -hal_nlinterceptor_server
 } {
   domain
   userdebug_or_eng(`-su')

public/hal_nlinterceptor.te

@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };

public/service.te

@@ -282,6 +282,7 @@ type hal_tv_tuner_service, vendor_service, protected_service, service_manager_ty
 type hal_uwb_service, vendor_service, protected_service, service_manager_type;
 type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
 type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
 
 ###
 ### Neverallow rules

public/wificond.te

@@ -7,6 +7,7 @@ binder_call(wificond, system_server)
 binder_call(wificond, keystore)
 
 add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
 
 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;