Revert "sepolicy: Permission changes for new wifi mainline module"

This reverts commit 3aa1c1725e.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74

private/compat/29.0/29.0.ignore.cil

@@ -40,7 +40,4 @@
     vendor_boringssl_self_test
     vendor_install_recovery
     vendor_install_recovery_exec
-    virtual_ab_prop
-    wifi_stack
-    wifi_stack_service
-    wifi_stack_tmpfs))
+    virtual_ab_prop))

private/logd.te

@@ -35,5 +35,4 @@ neverallow {
   -shell
   userdebug_or_eng(`-su')
   -system_app
-  -wifi_stack
 } runtime_event_log_tags_file:file no_rw_file_perms;

private/seapp_contexts

@@ -144,8 +144,6 @@ isSystemServer=true domain=system_server_startup
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
-user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
 user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all

private/service_contexts

@@ -226,6 +226,5 @@ wifi                                      u:object_r:wifi_service:s0
 wificond                                  u:object_r:wificond_service:s0
 wifiaware                                 u:object_r:wifiaware_service:s0
 wifirtt                                   u:object_r:rttmanager_service:s0
-wifi_stack                                u:object_r:wifi_stack_service:s0
 window                                    u:object_r:window_service:s0
 *                                         u:object_r:default_android_service:s0

private/vold_prepare_subdirs.te

@@ -21,7 +21,6 @@ allow vold_prepare_subdirs {
     rollback_data_file
     storaged_data_file
     vold_data_file
-    wifi_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
     backup_data_file
@@ -32,7 +31,6 @@ allow vold_prepare_subdirs {
     storaged_data_file
     system_data_file
     vold_data_file
-    wifi_data_file
 }:file { getattr unlink };
 
 dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;

private/wifi_stack.te

@@ -1,56 +0,0 @@
-# Wifi Stack Mandatory
-typeattribute wifi_stack coredomain;
-
-app_domain(wifi_stack)
-net_domain(wifi_stack)
-
-# Data file accesses.
-# Manage /data/misc/wifi.
-allow wifi_stack wifi_data_file:dir create_dir_perms;
-allow wifi_stack wifi_data_file:file create_file_perms;
-allow wifi_stack radio_data_file:dir search;
-
-# Property accesses
-userdebug_or_eng(`
-  set_prop(wifi_stack, wifi_log_prop)
-
-  # Allow wifi_stack to read dmesg
-  # TODO(b/137085509): Remove this.
-  allow wifi_stack kernel:system syslog_read;
-')
-
-# ctl interface
-
-# Perform Binder IPC.
-binder_use(wifi_stack)
-allow wifi_stack app_api_service:service_manager find;
-allow wifi_stack network_score_service:service_manager find;
-allow wifi_stack netd_service:service_manager find;
-allow wifi_stack network_stack_service:service_manager find;
-allow wifi_stack radio_service:service_manager find;
-allow wifi_stack wificond_service:service_manager find;
-allow wifi_stack wifiscanner_service:service_manager find;
-binder_call(wifi_stack, system_server)
-binder_call(wifi_stack, wificond)
-binder_call(wifi_stack, network_stack)
-
-# Perform HwBinder IPC.
-hwbinder_use(wifi_stack)
-hal_client_domain(wifi_stack, hal_wifi)
-hal_client_domain(wifi_stack, hal_wifi_hostapd)
-hal_client_domain(wifi_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow wifi_stack debugfs_tracing_instances:dir search;
-allow wifi_stack debugfs_wifi_tracing:dir search;
-allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# Connectivity
-allow wifi_stack self:capability { net_bind_service net_admin net_raw };
-allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
-allow wifi_stack self:netlink_route_socket nlmsg_write;
-allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# dumpstate support
-allow wifi_stack dumpstate:fd use;
-allow wifi_stack dumpstate:fifo_file write;

public/app.te

@@ -364,8 +364,8 @@ allow appdomain zygote_tmpfs:file { map read };
 ###
 
 # Superuser capabilities.
-# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };
@@ -488,8 +488,9 @@ neverallow appdomain
 neverallow appdomain
     systemkeys_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -wifi_stack }
-    wifi_data_file:dir_file_class_set *;
+neverallow appdomain
+    wifi_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow appdomain
     dhcp_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
@@ -512,7 +513,7 @@ neverallow appdomain
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
 # SELinux is not an API for apps to use
 neverallow { appdomain -shell } *:security { compute_av check_context };

public/netd.te

@@ -141,7 +141,6 @@ neverallow {
     -network_stack
     -netd
     -netutils_wrapper
-    -wifi_stack
 } netd_service:service_manager find;
 
 # only system_server, dumpstate and network stack app may find dnsresolver service
@@ -152,12 +151,11 @@ neverallow {
     -network_stack
     -netd
     -netutils_wrapper
-    -wifi_stack
 } dnsresolver_service:service_manager find;
 
 # apps may not interact with netd over binder.
-neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
-neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
 
 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
 # leaked to other processes. Make sure it never leaks.

public/service.te

@@ -186,7 +186,6 @@ type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_s
 type wifip2p_service, app_api_service, system_server_service, service_manager_type;
 type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wifi_stack_service, system_server_service, service_manager_type;
 type wificond_service, service_manager_type;
 type wifiaware_service, app_api_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;

public/wifi_stack.te

@@ -1,2 +0,0 @@
-# Wifi Stack Mandatory
-type wifi_stack, domain;

public/wificond.te

@@ -4,7 +4,6 @@ type wificond_exec, system_file_type, exec_type, file_type;
 
 binder_use(wificond)
 binder_call(wificond, system_server)
-binder_call(wificond, wifi_stack)
 
 add_service(wificond, wificond_service)