From 70b0a77ee0698b943a46c45c8ec83e318aa9ca3a Mon Sep 17 00:00:00 2001
From: paulhu <paulhu@google.com>
Date: Thu, 9 Dec 2021 11:49:23 +0800
Subject: [PATCH] Add sepolicy for mdns service

mdns service is a subset of netd-provided services, so it gets
the same treatment as netd_service or dnsresolver_service

Bug: 209894875
Test: built, flashed, booted
Change-Id: I33de769c4fff41e816792a34015a70f89e4b8a8c
---
 private/atrace.te                   |  1 +
 private/compat/32.0/32.0.ignore.cil |  1 +
 private/netutils_wrapper.te         |  1 +
 private/network_stack.te            |  1 +
 private/service_contexts            |  1 +
 private/system_app.te               |  2 ++
 private/system_server.te            |  1 +
 public/netd.te                      | 11 +++++++++++
 public/service.te                   |  1 +
 public/shell.te                     |  1 +
 public/traceur_app.te               |  1 +
 11 files changed, 22 insertions(+)

diff --git a/private/atrace.te b/private/atrace.te
index cbb5b7c5b..2ab8c693d 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@ allow atrace {
   -installd_service
   -iorapd_service
   -lpdump_service
+  -mdns_service
   -netd_service
   -stats_service
   -tracingproxy_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index db019f014..92c0b0500 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -45,6 +45,7 @@
     hal_wifi_hostapd_service
     hal_wifi_supplicant_service
     locale_service
+    mdns_service
     mtectrl
     nearby_service
     proc_watermark_boost_factor
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ca3b51585..cdc342db9 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -17,6 +17,7 @@ allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
 # For netutils (ndc) to be able to talk to netd
 allow netutils_wrapper netd_service:service_manager find;
 allow netutils_wrapper dnsresolver_service:service_manager find;
+allow netutils_wrapper mdns_service:service_manager find;
 binder_use(netutils_wrapper);
 binder_call(netutils_wrapper, netd);
 
diff --git a/private/network_stack.te b/private/network_stack.te
index 09a98b534..254688818 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,7 @@ allow network_stack self:netlink_route_socket nlmsg_write;
 
 allow network_stack app_api_service:service_manager find;
 allow network_stack dnsresolver_service:service_manager find;
+allow network_stack mdns_service:service_manager find;
 allow network_stack netd_service:service_manager find;
 allow network_stack network_watchlist_service:service_manager find;
 allow network_stack radio_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index b5e34072e..72736763e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -207,6 +207,7 @@ logcat                                    u:object_r:logcat_service:s0
 logd                                      u:object_r:logd_service:s0
 looper_stats                              u:object_r:looper_stats_service:s0
 lpdump_service                            u:object_r:lpdump_service:s0
+mdns                                      u:object_r:mdns_service:s0
 media.aaudio                              u:object_r:audioserver_service:s0
 media.audio_flinger                       u:object_r:audioserver_service:s0
 media.audio_policy                        u:object_r:audioserver_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 460ad4b7b..8c1fdbfa0 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -89,6 +89,7 @@ allow system_app {
   -installd_service
   -iorapd_service
   -lpdump_service
+  -mdns_service
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
@@ -103,6 +104,7 @@ dontaudit system_app {
   dumpstate_service
   installd_service
   iorapd_service
+  mdns_service
   netd_service
   virtual_touchpad_service
   vold_service
diff --git a/private/system_server.te b/private/system_server.te
index 6e108df9c..7e66c5a29 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -869,6 +869,7 @@ allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
 allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
+allow system_server mdns_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index ff0bff6c9..899df881d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -87,6 +87,7 @@ allow netd dnsmasq:process signal;
 binder_use(netd)
 add_service(netd, netd_service)
 add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
 allow netd dumpstate:fifo_file  { getattr write };
 
 # Allow netd to call into the system server so it can check permissions.
@@ -150,6 +151,16 @@ neverallow {
     -netutils_wrapper
 } dnsresolver_service:service_manager find;
 
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+    domain
+    -system_server
+    -dumpstate
+    -network_stack
+    -netd
+    -netutils_wrapper
+} mdns_service:service_manager find;
+
 # apps may not interact with netd over binder.
 neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
diff --git a/public/service.te b/public/service.te
index 99db2d38f..855f74418 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,7 @@ type keystore_metrics_service, service_manager_type;
 type keystore_service,          service_manager_type;
 type legacykeystore_service,    service_manager_type;
 type lpdump_service,            service_manager_type;
+type mdns_service,              service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 60e3521bc..4175c86bb 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,6 +85,7 @@ allow shell {
   -incident_service
   -installd_service
   -iorapd_service
+  -mdns_service
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 03c49442e..1ab150db8 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -12,6 +12,7 @@ allow traceur_app {
   -installd_service
   -iorapd_service
   -lpdump_service
+  -mdns_service
   -netd_service
   -virtual_touchpad_service
   -vold_service