platform_system_sepolicy/public/dnsmasq.te

26 lines
1 KiB
Text
Raw Normal View History

# DNS, DHCP services
type dnsmasq, domain;
type dnsmasq_exec, system_file_type, exec_type, file_type;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
# Inherit and use open files from netd.
allow dnsmasq netd:fd use;
allow dnsmasq netd:fifo_file { getattr read write };
# TODO: Investigate whether these inherited sockets should be closed on exec.
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
allow dnsmasq netd:netlink_nflog_socket { read write };
allow dnsmasq netd:netlink_route_socket { read write };
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };