From 845b10c3db54c1a89ba50a27708eaa34d45d392d Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Fri, 22 Nov 2019 09:30:23 -0800 Subject: [PATCH 1/3] Revert "sepolicy(wifi): Allow audio service access from wifi" This reverts commit 386cf9d95775cdddce70d48015f035dd4dae9b2d. Reason for revert: Wifi services no longer plan to be a separate APK/process for mainline. Will instead become a jar loaded from Apex. Bug: 144722612 Test: Device boots up & connects to wifi networks Change-Id: Ibb4db9d92c8d9f1170fcc047fa3377eef2acfce6 --- private/network_stack.te | 1 - 1 file changed, 1 deletion(-) diff --git a/private/network_stack.te b/private/network_stack.te index 6db7d8fbb..583784f6f 100644 --- a/private/network_stack.te +++ b/private/network_stack.te @@ -45,7 +45,6 @@ userdebug_or_eng(` ') # Binder IPC. -allow network_stack audioserver_service:service_manager find; allow network_stack network_score_service:service_manager find; allow network_stack network_stack_service:service_manager find; allow network_stack radio_service:service_manager find; From a483b5df72a7fd5a1ed850877e1adf30d618e95b Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Fri, 22 Nov 2019 09:33:37 -0800 Subject: [PATCH 2/3] Revert "wifi_stack: Move to network_stack process" This reverts commit 1086c7d71d7f614addf36c3923fc5ce96da2cdde. Reason for revert: Wifi services no longer plan to be a separate APK/process for mainline. Will instead become a jar loaded from Apex. Bug: 144722612 Test: Device boots up & connects to wifi networks Change-Id: I69ccc6afbe15db88f516cdc64e13d8cfdb0c743c --- private/compat/29.0/29.0.ignore.cil | 4 ++- private/logd.te | 2 +- private/network_stack.te | 40 +-------------------- private/seapp_contexts | 4 ++- private/wifi_stack.te | 56 +++++++++++++++++++++++++++++ public/app.te | 6 ++-- public/netd.te | 6 ++-- public/wifi_stack.te | 2 ++ public/wificond.te | 2 +- 9 files changed, 74 insertions(+), 48 deletions(-) create mode 100644 private/wifi_stack.te create mode 100644 public/wifi_stack.te diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 739940b72..1fe88940c 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -41,4 +41,6 @@ vendor_install_recovery vendor_install_recovery_exec virtual_ab_prop - wifi_stack_service)) + wifi_stack + wifi_stack_service + wifi_stack_tmpfs)) diff --git a/private/logd.te b/private/logd.te index f24cb80f7..a9c65b030 100644 --- a/private/logd.te +++ b/private/logd.te @@ -35,5 +35,5 @@ neverallow { -shell userdebug_or_eng(`-su') -system_app - -network_stack + -wifi_stack } runtime_event_log_tags_file:file no_rw_file_perms; diff --git a/private/network_stack.te b/private/network_stack.te index 583784f6f..28ce7101a 100644 --- a/private/network_stack.te +++ b/private/network_stack.te @@ -1,4 +1,4 @@ -############### Networking service app - NetworkStack.apk ############## +# Networking service app typeattribute network_stack coredomain; app_domain(network_stack); @@ -29,43 +29,5 @@ allow network_stack radio_data_file:file create_file_perms; binder_call(network_stack, netd); -############### Wifi Service app - WifiStack.apk ############## -# Data file accesses. -# Manage /data/misc/wifi & /data/misc_ce//wifi. -allow network_stack wifi_data_file:dir create_dir_perms; -allow network_stack wifi_data_file:file create_file_perms; - -# Property accesses -userdebug_or_eng(` - set_prop(network_stack, wifi_log_prop) - - # Allow network_stack to read dmesg - # TODO(b/137085509): Remove this. - allow network_stack kernel:system syslog_read; -') - -# Binder IPC. -allow network_stack network_score_service:service_manager find; -allow network_stack network_stack_service:service_manager find; -allow network_stack radio_service:service_manager find; -allow network_stack wificond_service:service_manager find; -allow network_stack wifiscanner_service:service_manager find; -binder_call(network_stack, system_server) -binder_call(network_stack, wificond) - -# HwBinder IPC. -hal_client_domain(network_stack, hal_wifi) -hal_client_domain(network_stack, hal_wifi_hostapd) -hal_client_domain(network_stack, hal_wifi_supplicant) - -# Allow WifiService to start, stop, and read wifi-specific trace events. -allow network_stack debugfs_tracing_instances:dir search; -allow network_stack debugfs_wifi_tracing:dir search; -allow network_stack debugfs_wifi_tracing:file rw_file_perms; - -# dumpstate support -allow network_stack dumpstate:fd use; -allow network_stack dumpstate:fifo_file write; - # Create/use netlink_tcpdiag_socket to get tcp info allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; diff --git a/private/seapp_contexts b/private/seapp_contexts index 17c22e1c2..c4b0e6f7d 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -144,7 +144,9 @@ isSystemServer=true domain=system_server_startup user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all user=system seinfo=platform domain=system_app type=system_app_data_file user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file -user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file +# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed. +user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack +user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file user=nfc seinfo=platform domain=nfc type=nfc_data_file user=secure_element seinfo=platform domain=secure_element levelFrom=all user=radio seinfo=platform domain=radio type=radio_data_file diff --git a/private/wifi_stack.te b/private/wifi_stack.te new file mode 100644 index 000000000..1f19faa53 --- /dev/null +++ b/private/wifi_stack.te @@ -0,0 +1,56 @@ +# Wifi Stack Mandatory +typeattribute wifi_stack coredomain; + +app_domain(wifi_stack) +net_domain(wifi_stack) + +# Data file accesses. +# Manage /data/misc/wifi. +allow wifi_stack wifi_data_file:dir create_dir_perms; +allow wifi_stack wifi_data_file:file create_file_perms; +allow wifi_stack radio_data_file:dir search; + +# Property accesses +userdebug_or_eng(` + set_prop(wifi_stack, wifi_log_prop) + + # Allow wifi_stack to read dmesg + # TODO(b/137085509): Remove this. + allow wifi_stack kernel:system syslog_read; +') + +# ctl interface + +# Perform Binder IPC. +binder_use(wifi_stack) +allow wifi_stack app_api_service:service_manager find; +allow wifi_stack network_score_service:service_manager find; +allow wifi_stack netd_service:service_manager find; +allow wifi_stack network_stack_service:service_manager find; +allow wifi_stack radio_service:service_manager find; +allow wifi_stack wificond_service:service_manager find; +allow wifi_stack wifiscanner_service:service_manager find; +binder_call(wifi_stack, system_server) +binder_call(wifi_stack, wificond) +binder_call(wifi_stack, network_stack) + +# Perform HwBinder IPC. +hwbinder_use(wifi_stack) +hal_client_domain(wifi_stack, hal_wifi) +hal_client_domain(wifi_stack, hal_wifi_hostapd) +hal_client_domain(wifi_stack, hal_wifi_supplicant) + +# Allow WifiService to start, stop, and read wifi-specific trace events. +allow wifi_stack debugfs_tracing_instances:dir search; +allow wifi_stack debugfs_wifi_tracing:dir search; +allow wifi_stack debugfs_wifi_tracing:file rw_file_perms; + +# Connectivity +allow wifi_stack self:capability { net_bind_service net_admin net_raw }; +allow wifi_stack self:packet_socket create_socket_perms_no_ioctl; +allow wifi_stack self:netlink_route_socket nlmsg_write; +allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls; + +# dumpstate support +allow wifi_stack dumpstate:fd use; +allow wifi_stack dumpstate:fifo_file write; diff --git a/public/app.te b/public/app.te index 030aba582..1f03bd47c 100644 --- a/public/app.te +++ b/public/app.te @@ -365,7 +365,7 @@ allow appdomain zygote_tmpfs:file { map read }; # Superuser capabilities. # bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin. -neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *; +neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *; # Block device access. neverallow appdomain dev_type:blk_file { read write }; @@ -488,7 +488,7 @@ neverallow appdomain neverallow appdomain systemkeys_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -network_stack } +neverallow { appdomain -wifi_stack } wifi_data_file:dir_file_class_set *; neverallow appdomain dhcp_data_file:dir_file_class_set @@ -512,7 +512,7 @@ neverallow appdomain proc:dir_file_class_set write; # Access to syslog(2) or /proc/kmsg. -neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console }; +neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console }; # SELinux is not an API for apps to use neverallow { appdomain -shell } *:security { compute_av check_context }; diff --git a/public/netd.te b/public/netd.te index c15a03baf..3e48bd243 100644 --- a/public/netd.te +++ b/public/netd.te @@ -141,6 +141,7 @@ neverallow { -network_stack -netd -netutils_wrapper + -wifi_stack } netd_service:service_manager find; # only system_server, dumpstate and network stack app may find dnsresolver service @@ -151,11 +152,12 @@ neverallow { -network_stack -netd -netutils_wrapper + -wifi_stack } dnsresolver_service:service_manager find; # apps may not interact with netd over binder. -neverallow { appdomain -network_stack } netd:binder call; -neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call; +neverallow { appdomain -network_stack -wifi_stack } netd:binder call; +neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call; # persist.netd.stable_secret contains RFC 7217 secret key which should never be # leaked to other processes. Make sure it never leaks. diff --git a/public/wifi_stack.te b/public/wifi_stack.te new file mode 100644 index 000000000..f1a26f5e7 --- /dev/null +++ b/public/wifi_stack.te @@ -0,0 +1,2 @@ +# Wifi Stack Mandatory +type wifi_stack, domain; diff --git a/public/wificond.te b/public/wificond.te index a55872abb..2a4eb4e43 100644 --- a/public/wificond.te +++ b/public/wificond.te @@ -4,7 +4,7 @@ type wificond_exec, system_file_type, exec_type, file_type; binder_use(wificond) binder_call(wificond, system_server) -binder_call(wificond, network_stack) +binder_call(wificond, wifi_stack) add_service(wificond, wificond_service) From d804a76d03eb545ce7aa425f08f6a67e1115eb4d Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Fri, 22 Nov 2019 09:36:20 -0800 Subject: [PATCH 3/3] Revert "sepolicy: Permission changes for new wifi mainline module" This reverts commit 3aa1c1725ea2b6fd452c5771629dcfc50a351538. Reason for revert: Wifi services no longer plan to be a separate APK/process for mainline. Will instead become a jar loaded from Apex. Bug: 144722612 Test: Device boots up & connects to wifi networks Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74 --- private/compat/29.0/29.0.ignore.cil | 5 +-- private/logd.te | 1 - private/seapp_contexts | 2 -- private/service_contexts | 1 - private/vold_prepare_subdirs.te | 2 -- private/wifi_stack.te | 56 ----------------------------- public/app.te | 11 +++--- public/netd.te | 6 ++-- public/service.te | 1 - public/wifi_stack.te | 2 -- public/wificond.te | 1 - 11 files changed, 9 insertions(+), 79 deletions(-) delete mode 100644 private/wifi_stack.te delete mode 100644 public/wifi_stack.te diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 1fe88940c..bf7dbe39d 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -40,7 +40,4 @@ vendor_boringssl_self_test vendor_install_recovery vendor_install_recovery_exec - virtual_ab_prop - wifi_stack - wifi_stack_service - wifi_stack_tmpfs)) + virtual_ab_prop)) diff --git a/private/logd.te b/private/logd.te index a9c65b030..ca92e2061 100644 --- a/private/logd.te +++ b/private/logd.te @@ -35,5 +35,4 @@ neverallow { -shell userdebug_or_eng(`-su') -system_app - -wifi_stack } runtime_event_log_tags_file:file no_rw_file_perms; diff --git a/private/seapp_contexts b/private/seapp_contexts index c4b0e6f7d..ed381dfa6 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -144,8 +144,6 @@ isSystemServer=true domain=system_server_startup user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all user=system seinfo=platform domain=system_app type=system_app_data_file user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file -# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed. -user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file user=nfc seinfo=platform domain=nfc type=nfc_data_file user=secure_element seinfo=platform domain=secure_element levelFrom=all diff --git a/private/service_contexts b/private/service_contexts index dd7111113..fa52a05a2 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -226,6 +226,5 @@ wifi u:object_r:wifi_service:s0 wificond u:object_r:wificond_service:s0 wifiaware u:object_r:wifiaware_service:s0 wifirtt u:object_r:rttmanager_service:s0 -wifi_stack u:object_r:wifi_stack_service:s0 window u:object_r:window_service:s0 * u:object_r:default_android_service:s0 diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te index e7f27b959..348d3ce32 100644 --- a/private/vold_prepare_subdirs.te +++ b/private/vold_prepare_subdirs.te @@ -21,7 +21,6 @@ allow vold_prepare_subdirs { rollback_data_file storaged_data_file vold_data_file - wifi_data_file }:dir { create_dir_perms relabelto }; allow vold_prepare_subdirs { backup_data_file @@ -32,7 +31,6 @@ allow vold_prepare_subdirs { storaged_data_file system_data_file vold_data_file - wifi_data_file }:file { getattr unlink }; dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms; diff --git a/private/wifi_stack.te b/private/wifi_stack.te deleted file mode 100644 index 1f19faa53..000000000 --- a/private/wifi_stack.te +++ /dev/null @@ -1,56 +0,0 @@ -# Wifi Stack Mandatory -typeattribute wifi_stack coredomain; - -app_domain(wifi_stack) -net_domain(wifi_stack) - -# Data file accesses. -# Manage /data/misc/wifi. -allow wifi_stack wifi_data_file:dir create_dir_perms; -allow wifi_stack wifi_data_file:file create_file_perms; -allow wifi_stack radio_data_file:dir search; - -# Property accesses -userdebug_or_eng(` - set_prop(wifi_stack, wifi_log_prop) - - # Allow wifi_stack to read dmesg - # TODO(b/137085509): Remove this. - allow wifi_stack kernel:system syslog_read; -') - -# ctl interface - -# Perform Binder IPC. -binder_use(wifi_stack) -allow wifi_stack app_api_service:service_manager find; -allow wifi_stack network_score_service:service_manager find; -allow wifi_stack netd_service:service_manager find; -allow wifi_stack network_stack_service:service_manager find; -allow wifi_stack radio_service:service_manager find; -allow wifi_stack wificond_service:service_manager find; -allow wifi_stack wifiscanner_service:service_manager find; -binder_call(wifi_stack, system_server) -binder_call(wifi_stack, wificond) -binder_call(wifi_stack, network_stack) - -# Perform HwBinder IPC. -hwbinder_use(wifi_stack) -hal_client_domain(wifi_stack, hal_wifi) -hal_client_domain(wifi_stack, hal_wifi_hostapd) -hal_client_domain(wifi_stack, hal_wifi_supplicant) - -# Allow WifiService to start, stop, and read wifi-specific trace events. -allow wifi_stack debugfs_tracing_instances:dir search; -allow wifi_stack debugfs_wifi_tracing:dir search; -allow wifi_stack debugfs_wifi_tracing:file rw_file_perms; - -# Connectivity -allow wifi_stack self:capability { net_bind_service net_admin net_raw }; -allow wifi_stack self:packet_socket create_socket_perms_no_ioctl; -allow wifi_stack self:netlink_route_socket nlmsg_write; -allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls; - -# dumpstate support -allow wifi_stack dumpstate:fd use; -allow wifi_stack dumpstate:fifo_file write; diff --git a/public/app.te b/public/app.te index 1f03bd47c..b771b5fae 100644 --- a/public/app.te +++ b/public/app.te @@ -364,8 +364,8 @@ allow appdomain zygote_tmpfs:file { map read }; ### # Superuser capabilities. -# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin. -neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *; +# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin. +neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *; # Block device access. neverallow appdomain dev_type:blk_file { read write }; @@ -488,8 +488,9 @@ neverallow appdomain neverallow appdomain systemkeys_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -wifi_stack } - wifi_data_file:dir_file_class_set *; +neverallow appdomain + wifi_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain dhcp_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; @@ -512,7 +513,7 @@ neverallow appdomain proc:dir_file_class_set write; # Access to syslog(2) or /proc/kmsg. -neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console }; +neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; # SELinux is not an API for apps to use neverallow { appdomain -shell } *:security { compute_av check_context }; diff --git a/public/netd.te b/public/netd.te index 3e48bd243..c15a03baf 100644 --- a/public/netd.te +++ b/public/netd.te @@ -141,7 +141,6 @@ neverallow { -network_stack -netd -netutils_wrapper - -wifi_stack } netd_service:service_manager find; # only system_server, dumpstate and network stack app may find dnsresolver service @@ -152,12 +151,11 @@ neverallow { -network_stack -netd -netutils_wrapper - -wifi_stack } dnsresolver_service:service_manager find; # apps may not interact with netd over binder. -neverallow { appdomain -network_stack -wifi_stack } netd:binder call; -neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call; +neverallow { appdomain -network_stack } netd:binder call; +neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call; # persist.netd.stable_secret contains RFC 7217 secret key which should never be # leaked to other processes. Make sure it never leaks. diff --git a/public/service.te b/public/service.te index c025530fe..f746727db 100644 --- a/public/service.te +++ b/public/service.te @@ -186,7 +186,6 @@ type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_s type wifip2p_service, app_api_service, system_server_service, service_manager_type; type wifiscanner_service, system_api_service, system_server_service, service_manager_type; type wifi_service, app_api_service, system_server_service, service_manager_type; -type wifi_stack_service, system_server_service, service_manager_type; type wificond_service, service_manager_type; type wifiaware_service, app_api_service, system_server_service, service_manager_type; type window_service, system_api_service, system_server_service, service_manager_type; diff --git a/public/wifi_stack.te b/public/wifi_stack.te deleted file mode 100644 index f1a26f5e7..000000000 --- a/public/wifi_stack.te +++ /dev/null @@ -1,2 +0,0 @@ -# Wifi Stack Mandatory -type wifi_stack, domain; diff --git a/public/wificond.te b/public/wificond.te index 2a4eb4e43..cfca60e3d 100644 --- a/public/wificond.te +++ b/public/wificond.te @@ -4,7 +4,6 @@ type wificond_exec, system_file_type, exec_type, file_type; binder_use(wificond) binder_call(wificond, system_server) -binder_call(wificond, wifi_stack) add_service(wificond, wificond_service)