From ca5bfb1ca7568a4e4b62c571cc1906a0ffc6c5ef Mon Sep 17 00:00:00 2001
From: Bjoern Johansson <bjoernj@google.com>
Date: Mon, 19 Mar 2018 11:14:30 -0700
Subject: [PATCH] Update SELinux rules to support emulator WiFi

SELinux policies have become stricter, this updates the emulator SELinux
rules to accomodate these changes. It also adds rules for the new
createns command with the accompanying execns changes that are needed
to work with an updated filesystem layout.

BUG: 74514143
Test: Compile emulator images and verify that WiFi works
Change-Id: I4b58cea681a1e41b0cb7368e1c696f74ce28f871
---
 target/board/generic/sepolicy/createns.te     | 14 +++++++++++++
 target/board/generic/sepolicy/execns.te       | 20 +++++++++++++++----
 target/board/generic/sepolicy/file.te         |  1 +
 target/board/generic/sepolicy/file_contexts   |  3 ++-
 target/board/generic/sepolicy/genfs_contexts  |  3 +++
 .../board/generic/sepolicy/goldfish_setup.te  |  9 ++++++++-
 target/product/emulator.mk                    |  1 +
 7 files changed, 45 insertions(+), 6 deletions(-)
 create mode 100644 target/board/generic/sepolicy/createns.te

diff --git a/target/board/generic/sepolicy/createns.te b/target/board/generic/sepolicy/createns.te
new file mode 100644
index 0000000000..1eaf9ef584
--- /dev/null
+++ b/target/board/generic/sepolicy/createns.te
@@ -0,0 +1,14 @@
+# Network namespace creation
+type createns, domain;
+type createns_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(createns)
+
+allow createns self:capability { sys_admin net_raw setuid setgid };
+allow createns varrun_file:dir { add_name search write };
+allow createns varrun_file:file { create mounton open read write };
+
+#Allow createns itself to be run by init in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
+allow createns goldfish_setup:fd use;
+
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
index d1e373e895..9675a99c74 100644
--- a/target/board/generic/sepolicy/execns.te
+++ b/target/board/generic/sepolicy/execns.te
@@ -5,8 +5,9 @@ type execns_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(execns)
 
 allow execns varrun_file:dir search;
+allow execns varrun_file:file r_file_perms;
 allow execns self:capability sys_admin;
-allow execns proc:file { open read };
+allow execns nsfs:file { open read };
 
 #Allow execns itself to be run by init in its own domain
 domain_auto_trans(init, execns_exec, execns);
@@ -17,6 +18,17 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
 # Allow dhcpserver to be run by execns in its own domain
 domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
 
-# Allow hostapd to be run by execns in its own domain
-domain_auto_trans(execns, hostapd_exec, hostapd);
-allow hostapd execns:fd use;
+# Rules to allow execution of hostapd and allow it to run
+allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
+allow execns self:capability { net_admin net_raw };
+allow execns self:netlink_generic_socket { bind create getattr read setopt write };
+allow execns self:netlink_route_socket { bind create read write nlmsg_write };
+allow execns execns:udp_socket { create ioctl };
+allow execns self:packet_socket { create setopt };
+allow execns sysfs_net:dir { search };
+allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
+
+# Allow execns to read createns proc file to get the namespace file
+allow execns createns:file read;
+allow execns createns:dir search;
+allow execns createns:lnk_file read;
diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te
index 4762e0d7af..b0aa217ae4 100644
--- a/target/board/generic/sepolicy/file.te
+++ b/target/board/generic/sepolicy/file.te
@@ -1,3 +1,4 @@
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type varrun_file, file_type, data_file_type, mlstrustedobject;
 type mediadrm_vendor_data_file, file_type, data_file_type;
+type nsfs, fs_type;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index 41a319e76e..73fe75245b 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -19,6 +19,7 @@
 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
 /vendor/bin/init\.wifi\.sh   u:object_r:goldfish_setup_exec:s0
 /vendor/bin/qemu-props       u:object_r:qemu_props_exec:s0
+/vendor/bin/createns         u:object_r:createns_exec:s0
 /vendor/bin/execns           u:object_r:execns_exec:s0
 /vendor/bin/ipv6proxy        u:object_r:ipv6proxy_exec:s0
 /vendor/bin/dhcpclient       u:object_r:dhcpclient_exec:s0
@@ -41,5 +42,5 @@
 
 # data
 /data/vendor/mediadrm(/.*)?            u:object_r:mediadrm_vendor_data_file:s0
-/data/var/run(/.*)?                    u:object_r:varrun_file:s0
+/data/vendor/var/run(/.*)?             u:object_r:varrun_file:s0
 
diff --git a/target/board/generic/sepolicy/genfs_contexts b/target/board/generic/sepolicy/genfs_contexts
index 91cedf13de..1b816263b0 100644
--- a/target/board/generic/sepolicy/genfs_contexts
+++ b/target/board/generic/sepolicy/genfs_contexts
@@ -15,3 +15,6 @@ genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
 genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
+
+# /proc/<pid>/ns
+genfscon nsfs / u:object_r:nsfs:s0
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index 31d35e68a3..1492cbd425 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -17,7 +17,7 @@ set_prop(goldfish_setup, ctl_default_prop);
 
 # Set up WiFi
 allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
-allow goldfish_setup self:netlink_socket create_socket_perms_no_ioctl;
+allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow goldfish_setup self:capability { sys_module sys_admin };
 allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
 allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
@@ -25,14 +25,21 @@ allow goldfish_setup execns_exec:file rx_file_perms;
 allow goldfish_setup proc_net:file rw_file_perms;
 allow goldfish_setup proc:file r_file_perms;
 set_prop(goldfish_setup, ctl_default_prop);
+allow goldfish_setup nsfs:file r_file_perms;
 allow goldfish_setup system_data_file:dir getattr;
 allow goldfish_setup kernel:system module_request;
 # Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
 allow goldfish_setup system_file:file execute_no_trans;
 # Allow goldfish_setup to run init.wifi.sh
 allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
+#Allow goldfish_setup to run createns in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
 # iw
 allow goldfish_setup sysfs:file { read open };
 # iptables
 allow goldfish_setup system_file:file lock;
 allow goldfish_setup self:rawip_socket { create getopt setopt };
+# Allow goldfish_setup to read createns proc file to get the namespace file
+allow goldfish_setup createns:file { read };
+allow goldfish_setup createns:dir { search };
+allow goldfish_setup createns:lnk_file { read };
diff --git a/target/product/emulator.mk b/target/product/emulator.mk
index 7a6aa09c87..11466b8900 100644
--- a/target/product/emulator.mk
+++ b/target/product/emulator.mk
@@ -119,6 +119,7 @@ PRODUCT_PACKAGES += \
 
 # WiFi
 PRODUCT_PACKAGES += \
+	createns \
 	dhcpclient \
 	dhcpserver \
 	execns \