Add sepolicy for mdns service
mdns service is a subset of netd-provided services, so it gets the same treatment as netd_service or dnsresolver_service Bug: 209894875 Test: built, flashed, booted Change-Id: I33de769c4fff41e816792a34015a70f89e4b8a8c
This commit is contained in:
paulhu
parent
9d34085078
commit
70b0a77ee0
11 changed files with 22 additions and 0 deletions
|
|
@ -33,6 +33,7 @@ allow atrace {
|
|||
-installd_service
|
||||
-iorapd_service
|
||||
-lpdump_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
-stats_service
|
||||
-tracingproxy_service
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@
|
|||
hal_wifi_hostapd_service
|
||||
hal_wifi_supplicant_service
|
||||
locale_service
|
||||
mdns_service
|
||||
mtectrl
|
||||
nearby_service
|
||||
proc_watermark_boost_factor
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
|
|||
# For netutils (ndc) to be able to talk to netd
|
||||
allow netutils_wrapper netd_service:service_manager find;
|
||||
allow netutils_wrapper dnsresolver_service:service_manager find;
|
||||
allow netutils_wrapper mdns_service:service_manager find;
|
||||
binder_use(netutils_wrapper);
|
||||
binder_call(netutils_wrapper, netd);
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ allow network_stack self:netlink_route_socket nlmsg_write;
|
|||
|
||||
allow network_stack app_api_service:service_manager find;
|
||||
allow network_stack dnsresolver_service:service_manager find;
|
||||
allow network_stack mdns_service:service_manager find;
|
||||
allow network_stack netd_service:service_manager find;
|
||||
allow network_stack network_watchlist_service:service_manager find;
|
||||
allow network_stack radio_service:service_manager find;
|
||||
|
|
|
|||
|
|
@ -207,6 +207,7 @@ logcat u:object_r:logcat_service:s0
|
|||
logd u:object_r:logd_service:s0
|
||||
looper_stats u:object_r:looper_stats_service:s0
|
||||
lpdump_service u:object_r:lpdump_service:s0
|
||||
mdns u:object_r:mdns_service:s0
|
||||
media.aaudio u:object_r:audioserver_service:s0
|
||||
media.audio_flinger u:object_r:audioserver_service:s0
|
||||
media.audio_policy u:object_r:audioserver_service:s0
|
||||
|
|
|
|||
|
|
@ -89,6 +89,7 @@ allow system_app {
|
|||
-installd_service
|
||||
-iorapd_service
|
||||
-lpdump_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
-system_suspend_control_internal_service
|
||||
-system_suspend_control_service
|
||||
|
|
@ -103,6 +104,7 @@ dontaudit system_app {
|
|||
dumpstate_service
|
||||
installd_service
|
||||
iorapd_service
|
||||
mdns_service
|
||||
netd_service
|
||||
virtual_touchpad_service
|
||||
vold_service
|
||||
|
|
|
|||
|
|
@ -869,6 +869,7 @@ allow system_server iorapd_service:service_manager find;
|
|||
allow system_server keystore_maintenance_service:service_manager find;
|
||||
allow system_server keystore_metrics_service:service_manager find;
|
||||
allow system_server keystore_service:service_manager find;
|
||||
allow system_server mdns_service:service_manager find;
|
||||
allow system_server mediaserver_service:service_manager find;
|
||||
allow system_server mediametrics_service:service_manager find;
|
||||
allow system_server mediaextractor_service:service_manager find;
|
||||
|
|
|
|||
|
|
@ -87,6 +87,7 @@ allow netd dnsmasq:process signal;
|
|||
binder_use(netd)
|
||||
add_service(netd, netd_service)
|
||||
add_service(netd, dnsresolver_service)
|
||||
add_service(netd, mdns_service)
|
||||
allow netd dumpstate:fifo_file { getattr write };
|
||||
|
||||
# Allow netd to call into the system server so it can check permissions.
|
||||
|
|
@ -150,6 +151,16 @@ neverallow {
|
|||
-netutils_wrapper
|
||||
} dnsresolver_service:service_manager find;
|
||||
|
||||
# only system_server, dumpstate and network stack app may find mdns service
|
||||
neverallow {
|
||||
domain
|
||||
-system_server
|
||||
-dumpstate
|
||||
-network_stack
|
||||
-netd
|
||||
-netutils_wrapper
|
||||
} mdns_service:service_manager find;
|
||||
|
||||
# apps may not interact with netd over binder.
|
||||
neverallow { appdomain -network_stack } netd:binder call;
|
||||
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ type keystore_metrics_service, service_manager_type;
|
|||
type keystore_service, service_manager_type;
|
||||
type legacykeystore_service, service_manager_type;
|
||||
type lpdump_service, service_manager_type;
|
||||
type mdns_service, service_manager_type;
|
||||
type mediaserver_service, service_manager_type;
|
||||
type mediametrics_service, service_manager_type;
|
||||
type mediaextractor_service, service_manager_type;
|
||||
|
|
|
|||
|
|
@ -85,6 +85,7 @@ allow shell {
|
|||
-incident_service
|
||||
-installd_service
|
||||
-iorapd_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
-system_suspend_control_internal_service
|
||||
-system_suspend_control_service
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ allow traceur_app {
|
|||
-installd_service
|
||||
-iorapd_service
|
||||
-lpdump_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
-virtual_touchpad_service
|
||||
-vold_service
|
||||
|
|
|
|||
Loading…
Reference in a new issue