wifi: Add sepolicy for LOWI tools
Add sepolicy rules for LOWI tools including loc_launcher and
lowi-server which are necessary for NAN and RTT
Bug: 223296149
Test: loc_launcher and lowi-server start automatically
Change-Id: I915be13fa715de85de91c30e0605f1e8e9d578f4
diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..2553c74
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,5 @@
+type vendor_location_data_file, file_type, data_file_type;
+type vendor_location_socket, file_type;
+type vendor_wifi_vendor_data_file, file_type, data_file_type;
+type vendor_wifihal_socket, file_type;
+type vendor_location_sysfs, fs_type, sysfs_type;
\ No newline at end of file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 46faec0..d692577 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,4 +9,9 @@
/dev/lwis-sensor-imx787 u:object_r:lwis_device:s0
# Wifi
+/data/vendor/wifi(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0
/dev/wlan u:object_r:vendor_wlan_device:s0
+/dev/socket/location(/.*)? u:object_r:vendor_location_socket:s0
+/dev/socket/wifihal(/.*)? u:object_r:vendor_wifihal_socket:s0
+/vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0
+/vendor/bin/lowi-server u:object_r:lowi_server_exec:s0
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index caf2581..b51cb91 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -1,2 +1,5 @@
# Haptics
genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l26a u:object_r:sysfs_vibrator:s0
+
+# Wifi
+genfscon sysfs /devices/soc0/soc_id u:object_r:vendor_location_sysfs:s0
diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te
index c5cf260..a16d595 100644
--- a/vendor/hal_wifi_ext.te
+++ b/vendor/hal_wifi_ext.te
@@ -1 +1,12 @@
allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms;
+
+# write to files owned by location daemon
+allow hal_wifi_ext vendor_location_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow hal_wifi_ext vendor_location:unix_dgram_socket sendto;
+allow hal_wifi_ext lowi_server:unix_dgram_socket sendto;
+
+# Connect to vendor_location via vendor_location socket.
+unix_socket_connect(hal_wifi, vendor_location, vendor_location)
+allow hal_wifi_ext vendor_wifihal_socket:dir rw_dir_perms;
+allow hal_wifi_ext vendor_wifihal_socket:sock_file create_file_perms;
diff --git a/vendor/hal_wifi_hostapd.te b/vendor/hal_wifi_hostapd.te
new file mode 100644
index 0000000..f081558
--- /dev/null
+++ b/vendor/hal_wifi_hostapd.te
@@ -0,0 +1 @@
+allow hal_wifi_hostapd_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
\ No newline at end of file
diff --git a/vendor/hal_wifi_supplicant.te b/vendor/hal_wifi_supplicant.te
new file mode 100644
index 0000000..78993ca
--- /dev/null
+++ b/vendor/hal_wifi_supplicant.te
@@ -0,0 +1 @@
+allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms;
\ No newline at end of file
diff --git a/vendor/ioctl_macros b/vendor/ioctl_macros
new file mode 100644
index 0000000..1646edf
--- /dev/null
+++ b/vendor/ioctl_macros
@@ -0,0 +1,9 @@
+define(`lowi_server_ioctls', `{
+SIOCGIFINDEX
+SIOCGIFHWADDR
+SIOCGIFFLAGS
+SIOCIWFIRSTPRIV_05
+SIOCIWFIRSTPRIV_11
+SIOCIWFIRSTPRIV_13
+SIOCDEVPRIVATE_1
+}')
diff --git a/vendor/lowi_server.te b/vendor/lowi_server.te
new file mode 100644
index 0000000..c1281f9
--- /dev/null
+++ b/vendor/lowi_server.te
@@ -0,0 +1,35 @@
+# lowi_server service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type lowi_server, domain;
+type lowi_server_exec, exec_type, vendor_file_type, file_type;
+
+hwbinder_use(lowi_server)
+allow lowi_server self:udp_socket create_socket_perms;
+allow lowi_server self:netlink_route_socket create_socket_perms_no_ioctl;
+
+## lowi-server
+##############
+allow lowi_server vendor_location:fd use;
+allow lowi_server vendor_location:unix_dgram_socket sendto;
+
+# some additional network access
+allow lowi_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allowxperm lowi_server self:udp_socket ioctl lowi_server_ioctls;
+
+# /data/vendor/wifi
+allow lowi_server vendor_wifi_vendor_data_file:dir rw_dir_perms;
+
+# /data/vendor/wifi/wpa
+allow lowi_server wpa_data_file:dir rw_dir_perms;
+allow lowi_server wpa_data_file:sock_file create_file_perms;
+allow lowi_server hal_wifi_supplicant_default:unix_dgram_socket sendto;
+
+# /dev/socket/wifihal
+allow lowi_server vendor_wifihal_socket:dir rw_dir_perms;
+allow lowi_server vendor_wifihal_socket:sock_file create_file_perms;
+allow lowi_server vendor_wifihal_socket:unix_dgram_socket sendto;
+unix_socket_send(lowi_server, vendor_wifihal, hal_wifi_ext);
+
+# /dev/socket/vendor_location
+allow lowi_server vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow lowi_server vendor_location_socket:dir rw_dir_perms;
diff --git a/vendor/vendor_location.te b/vendor/vendor_location.te
new file mode 100644
index 0000000..cefcd49
--- /dev/null
+++ b/vendor/vendor_location.te
@@ -0,0 +1,15 @@
+# loc_launcher service
+# which launches various other services supporting Wifi-RTT (LOWI) vendor_location
+type vendor_location, domain;
+type vendor_location_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(vendor_location)
+
+# execute permission for vendor_location daemons in /vendor/bin/
+domain_auto_trans(vendor_location, lowi_server_exec, lowi_server)
+
+# /dev/socket/vendor_location
+allow vendor_location vendor_location_socket:{sock_file lnk_file} create_file_perms;
+allow vendor_location vendor_location_socket:dir rw_dir_perms;
+
+# /sys/devices/soc0/soc_id
+allow vendor_location vendor_location_sysfs:file create_file_perms;
