From 6450e0038bb5d0b900035a729e84a9ff1a5b0bb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Mon, 8 Apr 2019 21:18:50 -0700 Subject: [PATCH] selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is needed to resolve some race conditions between clatd startup and interface naming/numbering. This resolves: type=1400 audit(): avc: denied { read write } for comm="Binder:820_4" name="tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file type=1400 audit(): avc: denied { open } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file type=1400 audit(): avc: denied { ioctl } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 ioctlcmd=0x54ca scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file type=1400 audit(): avc: denied { create } for comm="Binder:820_4" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tun_socket Test: built/installed on crosshatch with netd->clatd tunfd passing and observed no selinux denials Bug: 65674744 Signed-off-by: Maciej Żenczykowski Change-Id: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306 --- public/netd.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/public/netd.te b/public/netd.te index 1a2163d96..c8877b245 100644 --- a/public/netd.te +++ b/public/netd.te @@ -19,6 +19,11 @@ allow netd self:global_capability_class_set { net_admin net_raw kill }; # for netd to operate. dontaudit netd self:global_capability_class_set fsetid; +# Allow netd to open /dev/tun, set it up and pass it to clatd +allow netd tun_device:chr_file rw_file_perms; +allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; +allow netd self:tun_socket create; + allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow netd self:netlink_route_socket nlmsg_write; allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;