2012-01-04 18:33:27 +01:00
|
|
|
# network manager
|
2017-05-15 22:19:03 +02:00
|
|
|
type netd, domain, mlstrustedsubject;
|
2018-09-27 19:21:37 +02:00
|
|
|
type netd_exec, system_file_type, exec_type, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
2013-12-16 04:04:09 +01:00
|
|
|
net_domain(netd)
|
2023-01-18 08:52:43 +01:00
|
|
|
# Connect to mdnsd via mdnsd socket.
|
|
|
|
unix_socket_connect(netd, mdnsd, mdnsd)
|
2020-07-31 20:28:11 +02:00
|
|
|
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
|
2016-05-17 06:12:17 +02:00
|
|
|
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
2013-12-16 04:04:09 +01:00
|
|
|
|
2016-09-10 01:27:17 +02:00
|
|
|
r_dir_file(netd, cgroup)
|
2018-01-03 00:31:18 +01:00
|
|
|
|
2016-09-10 01:27:17 +02:00
|
|
|
allow netd system_server:fd use;
|
|
|
|
|
2017-11-09 23:51:26 +01:00
|
|
|
allow netd self:global_capability_class_set { net_admin net_raw kill };
|
2014-02-24 19:00:59 +01:00
|
|
|
# Note: fsetid is deliberately not included above. fsetid checks are
|
|
|
|
# triggered by chmod on a directory or file owned by a group other
|
|
|
|
# than one of the groups assigned to the current process to see if
|
|
|
|
# the setgid bit should be cleared, regardless of whether the setgid
|
|
|
|
# bit was even set. We do not appear to truly need this capability
|
2015-04-03 00:36:51 +02:00
|
|
|
# for netd to operate.
|
2017-11-09 23:51:26 +01:00
|
|
|
dontaudit netd self:global_capability_class_set fsetid;
|
2014-02-24 19:00:59 +01:00
|
|
|
|
2019-04-09 06:18:50 +02:00
|
|
|
# Allow netd to open /dev/tun, set it up and pass it to clatd
|
|
|
|
allow netd tun_device:chr_file rw_file_perms;
|
|
|
|
allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
|
|
|
|
allow netd self:tun_socket create;
|
|
|
|
|
2016-05-17 06:12:17 +02:00
|
|
|
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
2014-02-24 21:06:11 +01:00
|
|
|
allow netd self:netlink_route_socket nlmsg_write;
|
2016-05-17 06:12:17 +02:00
|
|
|
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
|
|
|
|
allow netd self:netlink_socket create_socket_perms_no_ioctl;
|
|
|
|
allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
|
|
|
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
allow netd shell_exec:file rx_file_perms;
|
|
|
|
allow netd system_file:file x_file_perms;
|
2017-04-14 06:58:12 +02:00
|
|
|
not_full_treble(`allow netd vendor_file:file x_file_perms;')
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
allow netd devpts:chr_file rw_file_perms;
|
|
|
|
|
2020-07-10 09:10:31 +02:00
|
|
|
# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
|
|
|
|
# exist, suppress the denial.
|
2017-04-05 03:34:52 +02:00
|
|
|
allow netd system_file:file lock;
|
2020-07-10 09:10:31 +02:00
|
|
|
dontaudit netd system_file:dir write;
|
2017-04-05 03:34:52 +02:00
|
|
|
|
2018-04-03 18:53:23 +02:00
|
|
|
# Allow netd to write to qtaguid ctrl file.
|
|
|
|
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
|
|
|
|
# after migration complete
|
|
|
|
allow netd proc_qtaguid_ctrl:file rw_file_perms;
|
2017-11-15 20:18:44 +01:00
|
|
|
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
|
|
|
|
allow netd qtaguid_device:chr_file r_file_perms;
|
2017-10-24 23:40:53 +02:00
|
|
|
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
r_dir_file(netd, proc_net_type)
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
# For /proc/sys/net/ipv[46]/route/flush.
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
allow netd proc_net_type:file rw_file_perms;
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
|
2016-06-30 23:23:12 +02:00
|
|
|
# Enables PppController and interface enumeration (among others)
|
2017-10-02 00:53:01 +02:00
|
|
|
allow netd sysfs:dir r_dir_perms;
|
|
|
|
r_dir_file(netd, sysfs_net)
|
|
|
|
|
2016-06-30 23:23:12 +02:00
|
|
|
# Allows setting interface MTU
|
2017-10-02 00:53:01 +02:00
|
|
|
allow netd sysfs_net:file w_file_perms;
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
|
2016-06-14 22:41:47 +02:00
|
|
|
# TODO: added to match above sysfs rule. Remove me?
|
|
|
|
allow netd sysfs_usb:file write;
|
|
|
|
|
2020-05-27 23:10:39 +02:00
|
|
|
r_dir_file(netd, cgroup_v2)
|
2018-12-05 02:57:27 +01:00
|
|
|
|
2016-07-23 01:34:08 +02:00
|
|
|
# TODO: netd previously thought it needed these permissions to do WiFi related
|
|
|
|
# work. However, after all the WiFi stuff is gone, we still need them.
|
|
|
|
# Why?
|
2018-09-07 00:19:40 +02:00
|
|
|
allow netd self:global_capability_class_set { dac_override dac_read_search chown };
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
|
2014-07-08 07:04:57 +02:00
|
|
|
# Needed to update /data/misc/net/rt_tables
|
|
|
|
allow netd net_data_file:file create_file_perms;
|
|
|
|
allow netd net_data_file:dir rw_dir_perms;
|
2017-11-09 23:51:26 +01:00
|
|
|
allow netd self:global_capability_class_set fowner;
|
2014-07-08 07:04:57 +02:00
|
|
|
|
2017-07-16 10:48:39 +02:00
|
|
|
# Needed to lock the iptables lock.
|
|
|
|
allow netd system_file:file lock;
|
|
|
|
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
# Allow netd to spawn dnsmasq in it's own domain
|
2023-05-16 09:54:31 +02:00
|
|
|
allow netd dnsmasq:process { sigkill signal };
|
Enable SELinux protections for netd.
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
|
|
|
|
2016-02-18 15:55:51 +01:00
|
|
|
# Allow netd to publish a binder service and make binder calls.
|
|
|
|
binder_use(netd)
|
2017-01-19 22:23:52 +01:00
|
|
|
add_service(netd, netd_service)
|
2019-02-25 13:12:15 +01:00
|
|
|
add_service(netd, dnsresolver_service)
|
2021-12-09 04:49:23 +01:00
|
|
|
add_service(netd, mdns_service)
|
2016-04-19 01:05:44 +02:00
|
|
|
allow netd dumpstate:fifo_file { getattr write };
|
2016-02-18 15:55:51 +01:00
|
|
|
|
|
|
|
# Allow netd to call into the system server so it can check permissions.
|
|
|
|
allow netd system_server:binder call;
|
2016-03-02 14:55:17 +01:00
|
|
|
allow netd permission_service:service_manager find;
|
2016-02-18 15:55:51 +01:00
|
|
|
|
2016-09-01 11:08:57 +02:00
|
|
|
# Allow netd to talk to the framework service which collects netd events.
|
|
|
|
allow netd netd_listener_service:service_manager find;
|
2016-04-13 17:14:58 +02:00
|
|
|
|
2014-05-01 20:12:10 +02:00
|
|
|
# Allow netd to operate on sockets that are passed to it.
|
2017-02-27 18:21:11 +01:00
|
|
|
allow netd netdomain:{
|
2018-07-02 12:34:18 +02:00
|
|
|
icmp_socket
|
2017-02-27 18:21:11 +01:00
|
|
|
tcp_socket
|
|
|
|
udp_socket
|
|
|
|
rawip_socket
|
|
|
|
tun_socket
|
|
|
|
} { read write getattr setattr getopt setopt };
|
2014-05-01 20:12:10 +02:00
|
|
|
allow netd netdomain:fd use;
|
|
|
|
|
2017-03-02 05:29:21 +01:00
|
|
|
# give netd permission to read and write netlink xfrm
|
|
|
|
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# Allow netd to register as hal server.
|
|
|
|
add_hwservice(netd, system_net_netd_hwservice)
|
|
|
|
hwbinder_use(netd)
|
|
|
|
|
2022-05-10 23:56:20 +02:00
|
|
|
# AIDL hal server
|
|
|
|
binder_call(system_net_netd_service, servicemanager)
|
|
|
|
add_service(netd, system_net_netd_service)
|
|
|
|
|
2013-07-13 06:28:41 +02:00
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
### netd should NEVER do any of this
|
|
|
|
|
|
|
|
# Block device access.
|
|
|
|
neverallow netd dev_type:blk_file { read write };
|
|
|
|
|
|
|
|
# ptrace any other app
|
|
|
|
neverallow netd { domain }:process ptrace;
|
|
|
|
|
|
|
|
# Write to /system.
|
2023-05-18 01:44:30 +02:00
|
|
|
neverallow netd system_file_type:dir_file_class_set write;
|
2013-07-13 06:28:41 +02:00
|
|
|
|
|
|
|
# Write to files in /data/data or system files on /data
|
2020-10-27 18:35:33 +01:00
|
|
|
neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
|
2016-03-02 14:57:34 +01:00
|
|
|
|
2018-11-14 09:07:41 +01:00
|
|
|
# only system_server, dumpstate and network stack app may find netd service
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-system_server
|
|
|
|
-dumpstate
|
|
|
|
-network_stack
|
|
|
|
-netd
|
2019-03-19 08:07:00 +01:00
|
|
|
-netutils_wrapper
|
2018-11-14 09:07:41 +01:00
|
|
|
} netd_service:service_manager find;
|
2017-07-26 21:53:21 +02:00
|
|
|
|
2019-02-25 13:12:15 +01:00
|
|
|
# only system_server, dumpstate and network stack app may find dnsresolver service
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-system_server
|
|
|
|
-dumpstate
|
|
|
|
-network_stack
|
|
|
|
-netd
|
2019-03-19 08:07:00 +01:00
|
|
|
-netutils_wrapper
|
2019-02-25 13:12:15 +01:00
|
|
|
} dnsresolver_service:service_manager find;
|
|
|
|
|
2021-12-09 04:49:23 +01:00
|
|
|
# only system_server, dumpstate and network stack app may find mdns service
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-system_server
|
|
|
|
-dumpstate
|
|
|
|
-network_stack
|
|
|
|
-netd
|
|
|
|
-netutils_wrapper
|
|
|
|
} mdns_service:service_manager find;
|
|
|
|
|
2017-07-26 21:53:21 +02:00
|
|
|
# apps may not interact with netd over binder.
|
2019-10-01 22:49:21 +02:00
|
|
|
neverallow { appdomain -network_stack } netd:binder call;
|
|
|
|
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
|
2017-07-11 02:43:19 +02:00
|
|
|
|
2018-03-17 00:08:31 +01:00
|
|
|
# If an already existing file is opened with O_CREATE, the kernel might generate
|
|
|
|
# a false report of a create denial. Silence these denials and make sure that
|
|
|
|
# inappropriate permissions are not granted.
|
|
|
|
neverallow netd proc_net:dir no_w_dir_perms;
|
|
|
|
dontaudit netd proc_net:dir write;
|
|
|
|
|
|
|
|
neverallow netd sysfs_net:dir no_w_dir_perms;
|
|
|
|
dontaudit netd sysfs_net:dir write;
|
2020-01-24 13:50:04 +01:00
|
|
|
|
|
|
|
# Netd should not have SYS_ADMIN privs.
|
|
|
|
neverallow netd self:capability sys_admin;
|
|
|
|
dontaudit netd self:capability sys_admin;
|
|
|
|
|
|
|
|
# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
|
|
|
|
# (things it requires should be built directly into the kernel)
|
|
|
|
dontaudit netd self:capability sys_module;
|
|
|
|
|
|
|
|
dontaudit netd kernel:system module_request;
|
2020-07-13 14:20:49 +02:00
|
|
|
|
|
|
|
dontaudit netd appdomain:unix_stream_socket { read write };
|