From 4ac3d74a7001cc4242ccc3b94fd4e8872da6e213 Mon Sep 17 00:00:00 2001
From: Chris Weir <chrisweir@google.com>
Date: Tue, 5 Oct 2021 16:53:52 -0700
Subject: [PATCH] SEPolicy for Netlink Interceptor

Make Netlink Interceptor work when SELinux is enforcing

Test: Netlink Interceptor HAL comes up and works
Bug: 194683902
Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
---
 private/compat/31.0/31.0.ignore.cil | 1 +
 private/service_contexts            | 1 +
 public/attributes                   | 1 +
 public/hal_neverallows.te           | 3 +++
 public/hal_nlinterceptor.te         | 8 ++++++++
 public/service.te                   | 1 +
 public/wificond.te                  | 1 +
 7 files changed, 16 insertions(+)
 create mode 100644 public/hal_nlinterceptor.te

diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 7decba144..518af9d88 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -19,6 +19,7 @@
     hal_uwb_service
     hal_uwb_vendor_service
     hal_wifi_hostapd_service
+    hal_nlinterceptor_service
     hypervisor_prop
     locale_service
     power_stats_service
diff --git a/private/service_contexts b/private/service_contexts
index b9ab85da2..a7b027c4f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -9,6 +9,7 @@ android.hardware.health.storage.IStorage/default                     u:object_r:
 android.hardware.identity.IIdentityCredentialStore/default           u:object_r:hal_identity_service:s0
 android.hardware.light.ILights/default                               u:object_r:hal_light_service:s0
 android.hardware.memtrack.IMemtrack/default                          u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default              u:object_r:hal_nlinterceptor_service:s0
 android.hardware.oemlock.IOemLock/default                            u:object_r:hal_oemlock_service:s0
 android.hardware.power.IPower/default                                u:object_r:hal_power_service:s0
 android.hardware.power.stats.IPowerStats/default                     u:object_r:hal_power_stats_service:s0
diff --git a/public/attributes b/public/attributes
index 32fe98c44..314b278d6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -355,6 +355,7 @@ hal_attribute(lowpan);
 hal_attribute(memtrack);
 hal_attribute(neuralnetworks);
 hal_attribute(nfc);
+hal_attribute(nlinterceptor);
 hal_attribute(oemlock);
 hal_attribute(omx);
 hal_attribute(power);
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 3254f1154..0d6554bb6 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -9,6 +9,7 @@ neverallow {
   -hal_wifi_supplicant_server
   -hal_telephony_server
   -hal_uwb_vendor_server
+  -hal_nlinterceptor_server
 } self:global_capability_class_set { net_admin net_raw };
 
 # Unless a HAL's job is to communicate over the network, or control network
@@ -27,6 +28,7 @@ neverallow {
   -hal_wifi_supplicant_server
   -hal_telephony_server
   -hal_uwb_vendor_server
+  -hal_nlinterceptor_server
 } domain:{ udp_socket rawip_socket } *;
 
 neverallow {
@@ -38,6 +40,7 @@ neverallow {
   -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
+  -hal_nlinterceptor_server
 } {
   domain
   userdebug_or_eng(`-su')
diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
new file mode 100644
index 000000000..2076de80b
--- /dev/null
+++ b/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
diff --git a/public/service.te b/public/service.te
index a82194198..97d697ece 100644
--- a/public/service.te
+++ b/public/service.te
@@ -280,6 +280,7 @@ type hal_tv_tuner_service, vendor_service, protected_service, service_manager_ty
 type hal_uwb_service, vendor_service, protected_service, service_manager_type;
 type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
 type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
 
 ###
 ### Neverallow rules
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbca0..98db0d728 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@ binder_call(wificond, system_server)
 binder_call(wificond, keystore)
 
 add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
 
 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;