sepolicy(hostapd): Add a HIDL interface for hostapd
Change sepolicy permissions to now classify hostapd as a HAL exposing HIDL interface. Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd: 12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc: denied { write } for name="hostapd" dev="sda13" ino=4587601 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc: denied { search } for name="net" dev="sysfs" ino=30521 scontext=u:r:hal_wifi_hostapd_default:s0 tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0 Bug: 36646171 Test: Device boots up and able to turn on SoftAp. Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
This commit is contained in:
parent
a4e83bc5f3
commit
5bca3e860d
12 changed files with 51 additions and 27 deletions
|
@ -34,6 +34,7 @@
|
|||
hal_lowpan_hwservice
|
||||
hal_neuralnetworks_hwservice
|
||||
hal_tetheroffload_hwservice
|
||||
hal_wifi_hostapd_hwservice
|
||||
hal_wifi_offload_hwservice
|
||||
kmsg_debug_device
|
||||
last_boot_reason_prop
|
||||
|
|
|
@ -47,6 +47,7 @@ android.hardware.vibrator::IVibrator u:object_r:hal_v
|
|||
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
|
||||
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
|
||||
android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
|
||||
android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
|
||||
android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
|
||||
android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
|
||||
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
|
||||
|
|
|
@ -202,6 +202,7 @@ hal_client_domain(system_server, hal_vibrator)
|
|||
hal_client_domain(system_server, hal_vr)
|
||||
hal_client_domain(system_server, hal_weaver)
|
||||
hal_client_domain(system_server, hal_wifi)
|
||||
hal_client_domain(system_server, hal_wifi_hostapd)
|
||||
hal_client_domain(system_server, hal_wifi_offload)
|
||||
hal_client_domain(system_server, hal_wifi_supplicant)
|
||||
|
||||
|
|
|
@ -233,6 +233,7 @@ hal_attribute(vibrator);
|
|||
hal_attribute(vr);
|
||||
hal_attribute(weaver);
|
||||
hal_attribute(wifi);
|
||||
hal_attribute(wifi_hostapd);
|
||||
hal_attribute(wifi_offload);
|
||||
hal_attribute(wifi_supplicant);
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ neverallow {
|
|||
halserverdomain
|
||||
-hal_bluetooth_server
|
||||
-hal_wifi_server
|
||||
-hal_wifi_hostapd_server
|
||||
-hal_wifi_supplicant_server
|
||||
-rild
|
||||
} self:global_capability_class_set { net_admin net_raw };
|
||||
|
@ -14,6 +15,7 @@ neverallow {
|
|||
halserverdomain
|
||||
-hal_tetheroffload_server
|
||||
-hal_wifi_server
|
||||
-hal_wifi_hostapd_server
|
||||
-hal_wifi_supplicant_server
|
||||
-rild
|
||||
} domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
28
public/hal_wifi_hostapd.te
Normal file
28
public/hal_wifi_hostapd.te
Normal file
|
@ -0,0 +1,28 @@
|
|||
# HwBinder IPC from client to server
|
||||
binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
|
||||
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
|
||||
|
||||
add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
|
||||
allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
|
||||
|
||||
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
|
||||
|
||||
allow hal_wifi_hostapd_server sysfs_net:dir search;
|
||||
|
||||
# Allow hal_wifi_hostapd to access /proc/net/psched
|
||||
allow hal_wifi_hostapd_server proc_net:file { getattr open read };
|
||||
|
||||
# Various socket permissions.
|
||||
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
|
||||
allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# hal_wifi_hostapd should not trust any data from sdcards
|
||||
neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
|
||||
neverallow hal_wifi_hostapd_server sdcard_type:file *;
|
|
@ -41,6 +41,7 @@ type hal_vibrator_hwservice, hwservice_manager_type;
|
|||
type hal_vr_hwservice, hwservice_manager_type;
|
||||
type hal_weaver_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_hostapd_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_offload_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_supplicant_hwservice, hwservice_manager_type;
|
||||
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
|
|
|
@ -91,6 +91,7 @@ userdebug_or_eng(`
|
|||
typeattribute su hal_vr_client;
|
||||
typeattribute su hal_weaver_client;
|
||||
typeattribute su hal_wifi_client;
|
||||
typeattribute su hal_wifi_hostapd_client;
|
||||
typeattribute su hal_wifi_offload_client;
|
||||
typeattribute su hal_wifi_supplicant_client;
|
||||
')
|
||||
|
|
4
vendor/file.te
vendored
4
vendor/file.te
vendored
|
@ -1,2 +1,2 @@
|
|||
# Socket types
|
||||
type hostapd_socket, file_type, data_file_type;
|
||||
# Hostapd conf files
|
||||
type hostapd_data_file, file_type, data_file_type;
|
||||
|
|
4
vendor/file_contexts
vendored
4
vendor/file_contexts
vendored
|
@ -38,8 +38,8 @@
|
|||
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
|
||||
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
|
||||
|
||||
#############################
|
||||
|
@ -52,4 +52,4 @@
|
|||
#############################
|
||||
# Data files
|
||||
#
|
||||
/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
|
||||
/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
|
||||
|
|
11
vendor/hal_wifi_hostapd_default.te
vendored
Normal file
11
vendor/hal_wifi_hostapd_default.te
vendored
Normal file
|
@ -0,0 +1,11 @@
|
|||
# hostapd or equivalent
|
||||
type hal_wifi_hostapd_default, domain;
|
||||
hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
|
||||
type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_wifi_hostapd_default)
|
||||
|
||||
net_domain(hal_wifi_hostapd_default)
|
||||
|
||||
# Allow hostapd to access it's data folder
|
||||
allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
|
||||
allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;
|
23
vendor/hostapd.te
vendored
23
vendor/hostapd.te
vendored
|
@ -1,23 +0,0 @@
|
|||
# userspace wifi access points
|
||||
type hostapd, domain;
|
||||
type hostapd_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
init_daemon_domain(hostapd)
|
||||
|
||||
net_domain(hostapd)
|
||||
allow hostapd self:global_capability_class_set { net_admin net_raw };
|
||||
|
||||
# hostapd learns about its network interface via sysfs.
|
||||
allow hostapd sysfs:file r_file_perms;
|
||||
# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
|
||||
allow hostapd sysfs:lnk_file r_file_perms;
|
||||
|
||||
# Allow hostapd to access /proc/net/psched
|
||||
allow hostapd proc_net:file { getattr open read };
|
||||
|
||||
# Various socket permissions.
|
||||
allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
|
||||
allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow hostapd self:netlink_route_socket nlmsg_write;
|
Loading…
Reference in a new issue