From a976e64d89575fb93b9fb1ca47c6aefc496e91b9 Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Sat, 18 Feb 2017 21:32:32 -0800
Subject: [PATCH] sepolicy: Make wpa_supplicant a HIDL service

Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ede2c9a224686e619c2ee5c976dd324ac0)
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
---
 private/file_contexts                 |  1 -
 private/service_contexts              |  1 -
 private/system_server.te              |  5 ++-
 private/wpa.te                        |  6 ---
 public/attributes                     |  3 ++
 public/domain_deprecated.te           |  3 --
 public/hal_wifi_supplicant.te         | 55 ++++++++++++++++++++++++++
 public/service.te                     |  1 -
 public/wpa.te                         | 56 ---------------------------
 vendor/file_contexts                  |  1 +
 vendor/hal_wifi_supplicant_default.te |  9 +++++
 11 files changed, 71 insertions(+), 70 deletions(-)
 delete mode 100644 private/wpa.te
 create mode 100644 public/hal_wifi_supplicant.te
 delete mode 100644 public/wpa.te
 create mode 100644 vendor/hal_wifi_supplicant_default.te

diff --git a/private/file_contexts b/private/file_contexts
index 7497722c9..4f27bcbda 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -204,7 +204,6 @@
 /system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
 /system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
 /system/bin/tombstoned u:object_r:tombstoned_exec:s0
-/system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
 /system/bin/recovery-persist     u:object_r:recovery_persist_exec:s0
 /system/bin/recovery-refresh     u:object_r:recovery_refresh_exec:s0
 /system/bin/sdcard      u:object_r:sdcardd_exec:s0
diff --git a/private/service_contexts b/private/service_contexts
index 4335957f1..5fd87dc06 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -165,5 +165,4 @@ wifi                                      u:object_r:wifi_service:s0
 wificond                                  u:object_r:wificond_service:s0
 wifiaware                                 u:object_r:wifiaware_service:s0
 window                                    u:object_r:window_service:s0
-wpa                                       u:object_r:wpa_supplicant_service:s0
 *                                         u:object_r:default_android_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 892d52237..f26332c43 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -158,7 +158,8 @@ unix_socket_connect(system_server, vold, vold)
 unix_socket_connect(system_server, webview_zygote, webview_zygote)
 unix_socket_connect(system_server, zygote, zygote)
 unix_socket_connect(system_server, racoon, racoon)
-unix_socket_send(system_server, wpa, wpa)
+# TODO(b/35707797): Remove this socket access.
+unix_socket_send(system_server, wpa, hal_wifi_supplicant_server)
 unix_socket_connect(system_server, uncrypt, uncrypt)
 
 # Communicate over a socket created by surfaceflinger.
@@ -194,7 +195,7 @@ binder_call(system_server, hal_usb)
 binder_call(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
-binder_call(system_server, wpa)
+hal_client_domain(system_server, hal_wifi_supplicant)
 
 # Talk to tombstoned to get ANR traces.
 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
diff --git a/private/wpa.te b/private/wpa.te
deleted file mode 100644
index 4bf29cfb5..000000000
--- a/private/wpa.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-init_daemon_domain(wpa)
-
-# Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:dir wpa_socket "sockets";
diff --git a/public/attributes b/public/attributes
index 0fd94443d..171ebd8a9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -168,3 +168,6 @@ attribute hal_vr;
 attribute hal_wifi;
 attribute hal_wifi_client;
 attribute hal_wifi_server;
+attribute hal_wifi_supplicant;
+attribute hal_wifi_supplicant_client;
+attribute hal_wifi_supplicant_server;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 66acfd691..aa6ec4e7e 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -228,7 +228,6 @@ auditallow {
   -tee
   -ueventd
   -vold
-  -wpa
 } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow {
   domain_deprecated
@@ -243,7 +242,6 @@ auditallow {
   -tee
   -ueventd
   -vold
-  -wpa
 } sysfs:file r_file_perms;
 auditallow {
   domain_deprecated
@@ -258,7 +256,6 @@ auditallow {
   -tee
   -ueventd
   -vold
-  -wpa
 } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 auditallow {
   domain_deprecated
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
new file mode 100644
index 000000000..8d2c0ea19
--- /dev/null
+++ b/public/hal_wifi_supplicant.te
@@ -0,0 +1,55 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
+binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(hal_wifi_supplicant, sysfs_type)
+r_dir_file(hal_wifi_supplicant, proc_net)
+
+allow hal_wifi_supplicant kernel:system module_request;
+allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
+allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:packet_socket create_socket_perms;
+allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+# TODO(b/35707797): Remove this socket access.
+unix_socket_send(hal_wifi_supplicant, system_wpa, system_server)
+
+# HIDL interface exposed by WPA.
+hwbinder_use(hal_wifi_supplicant)
+binder_call(hal_wifi_supplicant, system_server)
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
+
+# TODO(b/34131400): Use hwbinder to access keystore.
+use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant)
+
+# WPA (wifi) has a restricted set of permissions from the default.
+allow hal_wifi_supplicant keystore:keystore_key {
+    get
+    sign
+    verify
+};
+
+# Allow wpa_cli to work. wpa_cli creates a socket in
+# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
+userdebug_or_eng(`
+  unix_socket_send(hal_wifi_supplicant, wpa, su)
+')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/public/service.te b/public/service.te
index a6e36ba1f..478b00eb1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -142,4 +142,3 @@ type wifi_service, app_api_service, system_server_service, service_manager_type;
 type wificond_service, service_manager_type;
 type wifiaware_service, app_api_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
-type wpa_supplicant_service, system_server_service, service_manager_type;
diff --git a/public/wpa.te b/public/wpa.te
deleted file mode 100644
index 20fcd5368..000000000
--- a/public/wpa.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# wpa - wpa supplicant or equivalent
-type wpa, domain, domain_deprecated;
-type wpa_exec, exec_type, file_type;
-
-net_domain(wpa)
-# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
-allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(wpa, sysfs_type)
-r_dir_file(wpa, proc_net)
-
-allow wpa kernel:system module_request;
-allow wpa self:capability { setuid net_admin setgid net_raw };
-allow wpa cgroup:dir create_dir_perms;
-allow wpa self:netlink_route_socket nlmsg_write;
-allow wpa self:netlink_socket create_socket_perms_no_ioctl;
-allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow wpa self:packet_socket create_socket_perms;
-allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow wpa wifi_data_file:dir create_dir_perms;
-allow wpa wifi_data_file:file create_file_perms;
-unix_socket_send(wpa, system_wpa, system_server)
-
-# Keystore access via binder.
-binder_use(wpa)
-
-# HIDL interface exposed by WPA.
-hwbinder_use(wpa)
-binder_call(wpa, system_server)
-
-# Create a socket for receiving info from wpa
-allow wpa wpa_socket:dir create_dir_perms;
-allow wpa wpa_socket:sock_file create_file_perms;
-
-use_keystore(wpa)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow wpa keystore:keystore_key {
-	get
-	sign
-	verify
-};
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which wpa supplicant communicates with.
-userdebug_or_eng(`
-  unix_socket_send(wpa, wpa, su)
-')
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow wpa sdcard_type:dir ~getattr;
-neverallow wpa sdcard_type:file *;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index f51c5b53d..98317e32c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -28,3 +28,4 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant           u:object_r:hal_wifi_supplicant_default_exec:s0
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
new file mode 100644
index 000000000..3bde9ecdc
--- /dev/null
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -0,0 +1,9 @@
+# wpa supplicant or equivalent
+type hal_wifi_supplicant_default, domain;
+hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
+type hal_wifi_supplicant_default_exec, exec_type, file_type;
+init_daemon_domain(hal_wifi_supplicant_default)
+
+net_domain(hal_wifi_supplicant_default)
+# Create a socket for receiving info from wpa
+type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-- 
GitLab