Merge "Support new hostapd build target without HIDL"
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
index 9675a99..dc6c424 100644
--- a/target/board/generic/sepolicy/execns.te
+++ b/target/board/generic/sepolicy/execns.te
@@ -6,7 +6,7 @@
allow execns varrun_file:dir search;
allow execns varrun_file:file r_file_perms;
-allow execns self:capability sys_admin;
+allow execns self:capability { sys_admin setuid setgid };
allow execns nsfs:file { open read };
#Allow execns itself to be run by init in its own domain
@@ -18,15 +18,8 @@
# Allow dhcpserver to be run by execns in its own domain
domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
-# Rules to allow execution of hostapd and allow it to run
-allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
-allow execns self:capability { net_admin net_raw };
-allow execns self:netlink_generic_socket { bind create getattr read setopt write };
-allow execns self:netlink_route_socket { bind create read write nlmsg_write };
-allow execns execns:udp_socket { create ioctl };
-allow execns self:packet_socket { create setopt };
-allow execns sysfs_net:dir { search };
-allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
+# Allow hostapd_nohidl to be run by execns in its own domain
+domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
# Allow execns to read createns proc file to get the namespace file
allow execns createns:file read;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index 73fe752..7cd79fe 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -24,6 +24,7 @@
/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
+/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
diff --git a/target/board/generic/sepolicy/hostapd_nohidl.te b/target/board/generic/sepolicy/hostapd_nohidl.te
new file mode 100644
index 0000000..add648a
--- /dev/null
+++ b/target/board/generic/sepolicy/hostapd_nohidl.te
@@ -0,0 +1,16 @@
+type hostapd_nohidl, domain;
+type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hostapd_nohidl)
+net_domain(hostapd_nohidl)
+
+allow hostapd_nohidl execns:fd use;
+
+allow hostapd_nohidl self:capability { net_admin net_raw };
+allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
+allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
+allow hostapd_nohidl self:packet_socket { create setopt };
+allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
+
+# hostapd will attempt to search sysfs but it's not needed and will spam the log
+dontaudit hostapd_nohidl sysfs_net:dir search;