platform_system_sepolicy/private/netutils_wrapper.te

typeattribute netutils_wrapper coredomain;
typeattribute netutils_wrapper bpfdomain;

r_dir_file(netutils_wrapper, system_file);

# For netutils (ip, iptables, tc)
allow netutils_wrapper self:global_capability_class_set net_raw;

allow netutils_wrapper system_file:file { execute execute_no_trans };
allow netutils_wrapper proc_net_type:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
allow netutils_wrapper self:global_capability_class_set net_admin;
# ip utils need everything but ioctl
allow netutils_wrapper self:netlink_route_socket ~ioctl;
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;

# For netutils (ndc) to be able to talk to netd
allow netutils_wrapper netd_service:service_manager find;
allow netutils_wrapper dnsresolver_service:service_manager find;
allow netutils_wrapper mdns_service:service_manager find;
binder_use(netutils_wrapper);
binder_call(netutils_wrapper, netd);

# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
allow netutils_wrapper fs_bpf:dir search;
allow netutils_wrapper fs_bpf:file { read write };
allow netutils_wrapper bpfloader:bpf prog_run;

# For /data/misc/net access to ndc and ip
r_dir_file(netutils_wrapper, net_data_file)

domain_auto_trans({
    domain
    -coredomain
    -appdomain
}, netutils_wrapper_exec, netutils_wrapper)

# suppress spurious denials
dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
dontaudit netutils_wrapper sysfs_type:file read;

# netutils wrapper may only use the following capabilities.
neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
add netutils_wrappers Bug: 36463595 Test: Boot sailfish, make wifi call, internet over data and wifi Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-15 04:06:56 +02:00			`typeattribute netutils_wrapper coredomain;`
bpfdomain: attribute for domain which can use BPF Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325 2022-02-10 01:32:44 +01:00			`typeattribute netutils_wrapper bpfdomain;`
add netutils_wrappers Bug: 36463595 Test: Boot sailfish, make wifi call, internet over data and wifi Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-15 04:06:56 +02:00
			`r_dir_file(netutils_wrapper, system_file);`

			`# For netutils (ip, iptables, tc)`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow netutils_wrapper self:global_capability_class_set net_raw;`
add netutils_wrappers Bug: 36463595 Test: Boot sailfish, make wifi call, internet over data and wifi Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-15 04:06:56 +02:00
			`allow netutils_wrapper system_file:file { execute execute_no_trans };`
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e) 2018-04-10 21:47:48 +02:00			`allow netutils_wrapper proc_net_type:file { open read getattr };`
add netutils_wrappers Bug: 36463595 Test: Boot sailfish, make wifi call, internet over data and wifi Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-15 04:06:56 +02:00			`allow netutils_wrapper self:rawip_socket create_socket_perms;`
			`allow netutils_wrapper self:udp_socket create_socket_perms;`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow netutils_wrapper self:global_capability_class_set net_admin;`
add netutils_wrappers Bug: 36463595 Test: Boot sailfish, make wifi call, internet over data and wifi Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-15 04:06:56 +02:00			`# ip utils need everything but ioctl`
			`allow netutils_wrapper self:netlink_route_socket ~ioctl;`
			`allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;`

			`# For netutils (ndc) to be able to talk to netd`
Sepolicy for netutils_wrapper to use binder call Bug: 65862741 Test: built, flashed, booted Change-Id: I346520c47b74fde5137ad7c777f0a9eca50a06d7 2019-03-19 08:07:00 +01:00			`allow netutils_wrapper netd_service:service_manager find;`
			`allow netutils_wrapper dnsresolver_service:service_manager find;`
Add sepolicy for mdns service mdns service is a subset of netd-provided services, so it gets the same treatment as netd_service or dnsresolver_service Bug: 209894875 Test: built, flashed, booted Change-Id: I33de769c4fff41e816792a34015a70f89e4b8a8c 2021-12-09 04:49:23 +01:00			`allow netutils_wrapper mdns_service:service_manager find;`
Sepolicy for netutils_wrapper to use binder call Bug: 65862741 Test: built, flashed, booted Change-Id: I346520c47b74fde5137ad7c777f0a9eca50a06d7 2019-03-19 08:07:00 +01:00			`binder_use(netutils_wrapper);`
			`binder_call(netutils_wrapper, netd);`
add netutils_wrappers Bug: 36463595 Test: Boot sailfish, make wifi call, internet over data and wifi Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-15 04:06:56 +02:00
Allow netutils_wrapper to use pinned bpf program The netutils_wrapper is a process used by vendor code to update the iptable rules on devices. When it update the rules for a specific chain. The iptable module will reload the whole chain with the new rule. So even the netutils_wrapper do not need to add any rules related to xt_bpf module, it will still reloading the existing iptables rules about xt_bpf module and need pass through the selinux check again when the rules are reloading. So we have to grant it the permission to reuse the pinned program in fs_bpf when it modifies the corresponding iptables chain so the vendor module will not crash anymore. Test: device boot and no more denials from netutils_wrapper Bug: 72111305 Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be 2018-03-29 01:51:26 +02:00			`# For vendor code that update the iptables rules at runtime. They need to reload`
			`# the whole chain including the xt_bpf rules. They need to access to the pinned`
			`# program when reloading the rule.`
			`allow netutils_wrapper fs_bpf:dir search;`
			`allow netutils_wrapper fs_bpf:file { read write };`
			`allow netutils_wrapper bpfloader:bpf prog_run;`

add netutils_wrappers Bug: 36463595 Test: Boot sailfish, make wifi call, internet over data and wifi Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-15 04:06:56 +02:00			`# For /data/misc/net access to ndc and ip`
			`r_dir_file(netutils_wrapper, net_data_file)`

			`domain_auto_trans({`
			`domain`
			`-coredomain`
			`-appdomain`
			`}, netutils_wrapper_exec, netutils_wrapper)`
Suppress spurious denial Addresses: avc: denied { sys_resource } for comm="ip6tables" capability=24 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability Bug: 77905989 Test: build and flash taimen-userdebug Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c (cherry picked from commit 443a43c98121363929f268b1f77bd229a3247d3a) 2018-04-11 19:46:30 +02:00
			`# suppress spurious denials`
			`dontaudit netutils_wrapper self:global_capability_class_set sys_resource;`
netutils_wrapper: suppress sysfs denials Addresses spurious denials caused by users of netutils_wrapper which open files in /sys without O_CLOEXEC. avc: denied { read } for comm="iptables-wrappe" dev="sysfs" ino=47786 scontext=u:r:netutils_wrapper:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file Test: build Change-Id: I1c1f82428555be6a9798a189420dd85a9db107f7 2019-03-29 22:29:42 +01:00			`dontaudit netutils_wrapper sysfs_type:file read;`
Suppress spurious denial Addresses: avc: denied { sys_resource } for comm="ip6tables" capability=24 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability Bug: 77905989 Test: build and flash taimen-userdebug Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c (cherry picked from commit 443a43c98121363929f268b1f77bd229a3247d3a) 2018-04-11 19:46:30 +02:00
			`# netutils wrapper may only use the following capabilities.`
			`neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };`