Add sepolicy for mdns service

mdns service is a subset of netd-provided services, so it gets the same treatment as netd_service or dnsresolver_service Bug: 209894875 Test: built, flashed, booted Change-Id: I33de769c4fff41e816792a34015a70f89e4b8a8c
2021-12-09 11:49:23 +08:00 · 2021-12-09 11:49:23 +08:00 · 70b0a77ee0
commit 70b0a77ee0
parent 9d34085078
11 changed files with 22 additions and 0 deletions
--- a/private/atrace.te
+++ b/private/atrace.te
@ -33,6 +33,7 @@ allow atrace {
  -installd_service
  -iorapd_service
  -lpdump_service
  -mdns_service
  -netd_service
  -stats_service
  -tracingproxy_service
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -45,6 +45,7 @@
    hal_wifi_hostapd_service
    hal_wifi_supplicant_service
    locale_service
    mdns_service
    mtectrl
    nearby_service
    proc_watermark_boost_factor
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@ -17,6 +17,7 @@ allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
 # For netutils (ndc) to be able to talk to netd
 allow netutils_wrapper netd_service:service_manager find;
 allow netutils_wrapper dnsresolver_service:service_manager find;
 allow netutils_wrapper mdns_service:service_manager find;
 binder_use(netutils_wrapper);
 binder_call(netutils_wrapper, netd);
--- a/private/network_stack.te
+++ b/private/network_stack.te
@ -22,6 +22,7 @@ allow network_stack self:netlink_route_socket nlmsg_write;
 allow network_stack app_api_service:service_manager find;
 allow network_stack dnsresolver_service:service_manager find;
 allow network_stack mdns_service:service_manager find;
 allow network_stack netd_service:service_manager find;
 allow network_stack network_watchlist_service:service_manager find;
 allow network_stack radio_service:service_manager find;
--- a/private/service_contexts
+++ b/private/service_contexts
@ -207,6 +207,7 @@ logcat                                    u:object_r:logcat_service:s0
 logd                                      u:object_r:logd_service:s0
 looper_stats                              u:object_r:looper_stats_service:s0
 lpdump_service                            u:object_r:lpdump_service:s0
 mdns                                      u:object_r:mdns_service:s0
 media.aaudio                              u:object_r:audioserver_service:s0
 media.audio_flinger                       u:object_r:audioserver_service:s0
 media.audio_policy                        u:object_r:audioserver_service:s0
--- a/private/system_app.te
+++ b/private/system_app.te
@ -89,6 +89,7 @@ allow system_app {
  -installd_service
  -iorapd_service
  -lpdump_service
  -mdns_service
  -netd_service
  -system_suspend_control_internal_service
  -system_suspend_control_service
@ -103,6 +104,7 @@ dontaudit system_app {
  dumpstate_service
  installd_service
  iorapd_service
  mdns_service
  netd_service
  virtual_touchpad_service
  vold_service
--- a/private/system_server.te
+++ b/private/system_server.te
@ -869,6 +869,7 @@ allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
 allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mdns_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
--- a/public/netd.te
+++ b/public/netd.te
@ -87,6 +87,7 @@ allow netd dnsmasq:process signal;
 binder_use(netd)
 add_service(netd, netd_service)
 add_service(netd, dnsresolver_service)
 add_service(netd, mdns_service)
 allow netd dumpstate:fifo_file  { getattr write };
 # Allow netd to call into the system server so it can check permissions.
@ -150,6 +151,16 @@ neverallow {
    -netutils_wrapper
 } dnsresolver_service:service_manager find;
 # only system_server, dumpstate and network stack app may find mdns service
 neverallow {
    domain
    -system_server
    -dumpstate
    -network_stack
    -netd
    -netutils_wrapper
 } mdns_service:service_manager find;
 # apps may not interact with netd over binder.
 neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
--- a/public/service.te
+++ b/public/service.te
@ -27,6 +27,7 @@ type keystore_metrics_service, service_manager_type;
 type keystore_service,          service_manager_type;
 type legacykeystore_service,    service_manager_type;
 type lpdump_service,            service_manager_type;
 type mdns_service,              service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
--- a/public/shell.te
+++ b/public/shell.te
@ -85,6 +85,7 @@ allow shell {
  -incident_service
  -installd_service
  -iorapd_service
  -mdns_service
  -netd_service
  -system_suspend_control_internal_service
  -system_suspend_control_service
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@ -12,6 +12,7 @@ allow traceur_app {
  -installd_service
  -iorapd_service
  -lpdump_service
  -mdns_service
  -netd_service
  -virtual_touchpad_service
  -vold_service