Support new hostapd build target without HIDL
The new build target for hostapd does not include the HIDL control
interface and it's a separate binary from the hostapd used for WiFi
hotspots. This new binary needs its own SELinux rules and it should be
included in emulator builds since it's used to provide virtual access
points.
BUG: 74401469
Test: run cts -m CtsNetTestCases
(cherry picked from commit a53c522678f9178038dfdda6260f5c1b69c416ba)
Change-Id: I8fa4908d1bef8ff25573abb72bbac433ae3151de
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
index 9675a99..dc6c424 100644
--- a/target/board/generic/sepolicy/execns.te
+++ b/target/board/generic/sepolicy/execns.te
@@ -6,7 +6,7 @@
allow execns varrun_file:dir search;
allow execns varrun_file:file r_file_perms;
-allow execns self:capability sys_admin;
+allow execns self:capability { sys_admin setuid setgid };
allow execns nsfs:file { open read };
#Allow execns itself to be run by init in its own domain
@@ -18,15 +18,8 @@
# Allow dhcpserver to be run by execns in its own domain
domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
-# Rules to allow execution of hostapd and allow it to run
-allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
-allow execns self:capability { net_admin net_raw };
-allow execns self:netlink_generic_socket { bind create getattr read setopt write };
-allow execns self:netlink_route_socket { bind create read write nlmsg_write };
-allow execns execns:udp_socket { create ioctl };
-allow execns self:packet_socket { create setopt };
-allow execns sysfs_net:dir { search };
-allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
+# Allow hostapd_nohidl to be run by execns in its own domain
+domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
# Allow execns to read createns proc file to get the namespace file
allow execns createns:file read;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index 73fe752..7cd79fe 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -24,6 +24,7 @@
/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
+/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
diff --git a/target/board/generic/sepolicy/hostapd_nohidl.te b/target/board/generic/sepolicy/hostapd_nohidl.te
new file mode 100644
index 0000000..add648a
--- /dev/null
+++ b/target/board/generic/sepolicy/hostapd_nohidl.te
@@ -0,0 +1,16 @@
+type hostapd_nohidl, domain;
+type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hostapd_nohidl)
+net_domain(hostapd_nohidl)
+
+allow hostapd_nohidl execns:fd use;
+
+allow hostapd_nohidl self:capability { net_admin net_raw };
+allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
+allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
+allow hostapd_nohidl self:packet_socket { create setopt };
+allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
+
+# hostapd will attempt to search sysfs but it's not needed and will spam the log
+dontaudit hostapd_nohidl sysfs_net:dir search;
