Fix system server and network stack netlink permissions
Give system_server and network_stack the same permissions as netd. This is needed as we are continuously moving code out of netd into network_stack and system_server. Test: TH Bug: 233300834 Change-Id: I9559185081213fdeb33019733654ce95af816d99
This commit is contained in:
Patrick Rohr
parent
6b2fefbf46
commit
ab02397814
3 changed files with 14 additions and 2 deletions
|
|
@ -22,6 +22,14 @@ allow network_stack self:packet_socket create_socket_perms_no_ioctl;
|
|||
# Monitor neighbors via netlink.
|
||||
allow network_stack self:netlink_route_socket nlmsg_write;
|
||||
|
||||
# Use netlink uevent sockets.
|
||||
allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
|
||||
# give network_stack the same netlink permissions as netd
|
||||
allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
|
||||
allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
|
||||
allow network_stack app_api_service:service_manager find;
|
||||
allow network_stack dnsresolver_service:service_manager find;
|
||||
allow network_stack mdns_service:service_manager find;
|
||||
|
|
|
|||
|
|
@ -156,11 +156,14 @@ allow system_server self:global_capability2_class_set wake_alarm;
|
|||
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
|
||||
allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
|
||||
allow system_server self:netlink_tcpdiag_socket
|
||||
{ create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
||||
|
||||
# Use netlink uevent sockets.
|
||||
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
|
||||
allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Use generic netlink sockets.
|
||||
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
|||
|
|
@ -53,7 +53,8 @@ neverallow { appdomain -network_stack }
|
|||
# These messages are broadcast messages from the kernel to userspace.
|
||||
# Do not allow the writing of netlink messages, which has been a source
|
||||
# of rooting vulns in the past.
|
||||
neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
|
||||
neverallow { appdomain -network_stack }
|
||||
domain:netlink_kobject_uevent_socket { write append };
|
||||
|
||||
# Sockets under /dev/socket that are not specifically typed.
|
||||
neverallow appdomain socket_device:sock_file write;
|
||||
|
|
|
|||
Loading…
Reference in a new issue