platform_system_sepolicy/private/mdnsd.te

# mdns daemon

typeattribute mdnsd coredomain;
typeattribute mdnsd mlstrustedsubject;

type mdnsd_exec, system_file_type, exec_type, file_type;
init_daemon_domain(mdnsd)

net_domain(mdnsd)

# Read from /proc/net
r_dir_file(mdnsd, proc_net_type)
Move mdnsd policy to private This leaves only the existence of mdnsd domain as public API. All other rules are implementation details of this domains's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with mdnsd_current (as expected). Bug: 31364497 Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4 2017-02-07 00:00:23 +01:00			`# mdns daemon`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute mdnsd coredomain;`
Move mdnsd policy to private This leaves only the existence of mdnsd domain as public API. All other rules are implementation details of this domains's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with mdnsd_current (as expected). Bug: 31364497 Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4 2017-02-07 00:00:23 +01:00			`typeattribute mdnsd mlstrustedsubject;`

Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 2018-09-27 19:21:37 +02:00			`type mdnsd_exec, system_file_type, exec_type, file_type;`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`init_daemon_domain(mdnsd)`
Move mdnsd policy to private This leaves only the existence of mdnsd domain as public API. All other rules are implementation details of this domains's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with mdnsd_current (as expected). Bug: 31364497 Change-Id: Ia4f01d91e7d593401e8cde2d796a0f1023f6dae4 2017-02-07 00:00:23 +01:00
			`net_domain(mdnsd)`

			`# Read from /proc/net`
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e) 2018-04-10 21:47:48 +02:00			`r_dir_file(mdnsd, proc_net_type)`