selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli
This is needed to resolve some race conditions between clatd startup and interface naming/numbering.
This resolves:
type=1400 audit(): avc: denied { read write } for comm="Binder:820_4" name="tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
type=1400 audit(): avc: denied { open } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
type=1400 audit(): avc: denied { ioctl } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 ioctlcmd=0x54ca scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
type=1400 audit(): avc: denied { create } for comm="Binder:820_4" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tun_socket
Test: built/installed on crosshatch with netd->clatd tunfd passing and observed no selinux denials
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
This commit is contained in:
Maciej Żenczykowski
parent
b3b12729f4
commit
6450e0038b
1 changed files with 5 additions and 0 deletions
|
|
@ -19,6 +19,11 @@ allow netd self:global_capability_class_set { net_admin net_raw kill };
|
|||
# for netd to operate.
|
||||
dontaudit netd self:global_capability_class_set fsetid;
|
||||
|
||||
# Allow netd to open /dev/tun, set it up and pass it to clatd
|
||||
allow netd tun_device:chr_file rw_file_perms;
|
||||
allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
|
||||
allow netd self:tun_socket create;
|
||||
|
||||
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
allow netd self:netlink_route_socket nlmsg_write;
|
||||
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
|||
Loading…
Reference in a new issue