SEPolicy for Netlink Interceptor

Make Netlink Interceptor work when SELinux is enforcing Test: Netlink Interceptor HAL comes up and works Bug: 194683902 Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
2021-10-05 16:53:52 -07:00 · 2021-10-05 16:53:52 -07:00 · 4ac3d74a70
commit 4ac3d74a70
parent c0cd637049
7 changed files with 16 additions and 0 deletions
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@ -19,6 +19,7 @@
    hal_uwb_service
    hal_uwb_vendor_service
    hal_wifi_hostapd_service
+    hal_nlinterceptor_service
    hypervisor_prop
    locale_service
    power_stats_service
--- a/private/service_contexts
+++ b/private/service_contexts
@ -9,6 +9,7 @@ android.hardware.health.storage.IStorage/default                     u:object_r:
 android.hardware.identity.IIdentityCredentialStore/default           u:object_r:hal_identity_service:s0
 android.hardware.light.ILights/default                               u:object_r:hal_light_service:s0
 android.hardware.memtrack.IMemtrack/default                          u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default              u:object_r:hal_nlinterceptor_service:s0
 android.hardware.oemlock.IOemLock/default                            u:object_r:hal_oemlock_service:s0
 android.hardware.power.IPower/default                                u:object_r:hal_power_service:s0
 android.hardware.power.stats.IPowerStats/default                     u:object_r:hal_power_stats_service:s0
--- a/public/attributes
+++ b/public/attributes
@ -355,6 +355,7 @@ hal_attribute(lowpan);
 hal_attribute(memtrack);
 hal_attribute(neuralnetworks);
 hal_attribute(nfc);
+hal_attribute(nlinterceptor);
 hal_attribute(oemlock);
 hal_attribute(omx);
 hal_attribute(power);
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@ -9,6 +9,7 @@ neverallow {
  -hal_wifi_supplicant_server
  -hal_telephony_server
  -hal_uwb_vendor_server
+  -hal_nlinterceptor_server
 } self:global_capability_class_set { net_admin net_raw };

 # Unless a HAL's job is to communicate over the network, or control network
@ -27,6 +28,7 @@ neverallow {
  -hal_wifi_supplicant_server
  -hal_telephony_server
  -hal_uwb_vendor_server
+  -hal_nlinterceptor_server
 } domain:{ udp_socket rawip_socket } *;

 neverallow {
@ -38,6 +40,7 @@ neverallow {
  -hal_wifi_hostapd_server
  -hal_wifi_supplicant_server
  -hal_telephony_server
+  -hal_nlinterceptor_server
 } {
  domain
  userdebug_or_eng(`-su')
--- a/public/hal_nlinterceptor.te
+++ b/public/hal_nlinterceptor.te
@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
--- a/public/service.te
+++ b/public/service.te
@ -280,6 +280,7 @@ type hal_tv_tuner_service, vendor_service, protected_service, service_manager_ty
 type hal_uwb_service, vendor_service, protected_service, service_manager_type;
 type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
 type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;

 ###
 ### Neverallow rules
--- a/public/wificond.te
+++ b/public/wificond.te
@ -7,6 +7,7 @@ binder_call(wificond, system_server)
 binder_call(wificond, keystore)

 add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)

 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;