hal_tetheroffload: Grant permissions

avc: denied { read write } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { setopt } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { getattr } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { create } for scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket

Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
  ...
  Log:
    ...
    06-28 11:46:58.841 - SET master tether settings: ON
    06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
    06-28 11:46:58.853   816   947 I IPAHALService: IPACM was provided two FDs (18, 19)
    06-28 11:46:58.853  1200  1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I0c63bd2de334b4ca40e54efb9df4ed4904667e21

private/system_server.te

@@ -79,6 +79,9 @@ allow system_server kernel:system module_request;
 # Allow alarmtimers to be set
 allow system_server self:capability2 wake_alarm;
 
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 

public/hal_tetheroffload.te

 ## HwBinder IPC from client to server, and callbacks
 binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
 binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };

public/hwservice.te

@@ -28,6 +28,7 @@ type hal_power_hwservice, hwservice_manager_type;
 type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_sensors_hwservice, hwservice_manager_type;
 type hal_telephony_hwservice, hwservice_manager_type;
+type hal_tetheroffload_hwservice, hwservice_manager_type;
 type hal_thermal_hwservice, hwservice_manager_type;
 type hal_tv_cec_hwservice, hwservice_manager_type;
 type hal_tv_input_hwservice, hwservice_manager_type;

vendor/hal_tetheroffload_default.te

+type hal_tetheroffload_default, domain;
+hal_server_domain(hal_tetheroffload_default, hal_tetheroffload)
+
+type hal_tetheroffload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tetheroffload_default)