From 554b334d7be6f90fc55c62936625bb544853168a Mon Sep 17 00:00:00 2001 From: Luke Huang Date: Tue, 19 Mar 2019 15:07:00 +0800 Subject: [PATCH] Sepolicy for netutils_wrapper to use binder call Bug: 65862741 Test: built, flashed, booted Change-Id: I346520c47b74fde5137ad7c777f0a9eca50a06d7 --- private/netutils_wrapper.te | 6 ++++-- public/netd.te | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te index a773f96f9..ca3b51585 100644 --- a/private/netutils_wrapper.te +++ b/private/netutils_wrapper.te @@ -15,8 +15,10 @@ allow netutils_wrapper self:netlink_route_socket ~ioctl; allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; # For netutils (ndc) to be able to talk to netd -allow netutils_wrapper netd_socket:sock_file { open getattr read write append }; -allow netutils_wrapper netd:unix_stream_socket { read getattr connectto }; +allow netutils_wrapper netd_service:service_manager find; +allow netutils_wrapper dnsresolver_service:service_manager find; +binder_use(netutils_wrapper); +binder_call(netutils_wrapper, netd); # For vendor code that update the iptables rules at runtime. They need to reload # the whole chain including the xt_bpf rules. They need to access to the pinned diff --git a/public/netd.te b/public/netd.te index 859cb65d3..c4a913632 100644 --- a/public/netd.te +++ b/public/netd.te @@ -138,6 +138,7 @@ neverallow { -dumpstate -network_stack -netd + -netutils_wrapper } netd_service:service_manager find; # only system_server, dumpstate and network stack app may find dnsresolver service @@ -147,6 +148,7 @@ neverallow { -dumpstate -network_stack -netd + -netutils_wrapper } dnsresolver_service:service_manager find; # only netd can create the bpf maps