platform_system_sepolicy/private/netd.te

typeattribute netd coredomain;

init_daemon_domain(netd)

# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)

# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)

# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };

get_prop(netd, bpf_progs_loaded_prop)

# Allow netd to write to statsd.
unix_socket_send(netd, statsdw, statsd)

# Allow netd to send callbacks to network_stack
binder_call(netd, network_stack)
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute netd coredomain;`

Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`init_daemon_domain(netd)`

			`# Allow netd to spawn dnsmasq in it's own domain`
			`domain_auto_trans(netd, dnsmasq_exec, dnsmasq)`

			`# Allow netd to start clatd in its own domain`
			`domain_auto_trans(netd, clatd_exec, clatd)`
Add sepolicy to lock down bpf access Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f 2018-01-03 00:31:18 +01:00
Use bpfloader to create bpf maps instead of netd Recent change in netd and bpfloader switched the creater of bpf maps from netd to bpfloader. Change the rules related to it to make sure it doesn't fail. Test: dumpsys netd trafficcontroller Bug: 112334572 Change-Id: I016ff68b58ef7b12bdfdebc2fd178be1d0206a62 2018-12-05 02:57:27 +01:00			`# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write`
			`# the map created by bpfloader`
			`allow netd bpfloader:bpf { prog_run map_read map_write };`
Add permissions for bpf.progs_loaded property Change-Id: If4e550e4186415c5a1088bb53b0755b69f92560a Signed-off-by: Joel Fernandes <joelaf@google.com> 2019-01-11 14:32:45 +01:00
			`get_prop(netd, bpf_progs_loaded_prop)`
Allow netd to write to statsd config sepolicy to allow netd to write to statsd. Test: run runtests.sh, make sure no missing test and get all pass run /out/host/linux-x86/bin/statsd_testdrive 82 Got following metric data dump:pass for local test Bug: 119862317 Change-Id: Ieff5ca55de46715d54ef57c4a6d144fd7d03e4b7 2018-11-21 15:53:48 +01:00
			`# Allow netd to write to statsd.`
			`unix_socket_send(netd, statsdw, statsd)`
Add NetworkStack policies for netd and netlink Allow netd to send network events to the NetworkStack, and allow the NetworkStack to interact with netlink_route_socket for neighbor monitoring. Test: built, booted, WiFi works, no more violations Bug: 112869080 Change-Id: If212b2897e37e9d249f81ba8139461bce461528e 2019-01-28 05:08:42 +01:00
			`# Allow netd to send callbacks to network_stack`
			`binder_call(netd, network_stack)`