Commit graph

9 commits

Author SHA1 Message Date
Hungming Chen
fc6556a5b5 Grants clatd privs since forked by system server
System server forks clatd now. Need to add rules to
fork clatd. netd doesn't fork clatd anymore.

Bug: 212345928
Test: ping 8.8.8.8 under ipv6-only network
check bpf maps are added.
$ adb shell dumpsys netd --short | grep Clat -A10
  ClatdController
    Trackers: iif[iface] nat64Prefix v6Addr -> v4Addr v4iif[v4iface] [fwmark]
    BPF ingress map: iif(iface) nat64Prefix v6Addr -> v4Addr oif(iface)
      47(wlan0) 64:ff9b::/96 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c -> 192.0.0.4 52(v4-wlan0)
    BPF egress map: iif(iface) v4Addr -> v6Addr nat64Prefix oif(iface)
      52(v4-wlan0) 192.0.0.4 -> 2a00:79e1:abc:6f02:b7aa:ff3c:9220:595c 64:ff9b::/96 47(wlan0) ether

Change-Id: I70be6132ab7bfdd96b5f537a96722312cd93bbb8
2022-01-21 18:17:45 +00:00
Hungming Chen
7f4a2ab9fe clatd: remove spurious privs
Since the clatd has some code cleanup, these privs are not required
anymore.

Bug: 212345928
Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
   $ ping 8.8.8.8

Change-Id: Ib801a190f9c14ee488bc77a43ac59c78c44773ab
2022-01-16 14:28:57 +08:00
Hungming Chen
e544438399 [NC#3] clatd: remove raw and packet socket creation privs
Don't need these permission anymore because the raw and packet
socket setup are moved from clatd to netd.

Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
   $ ping 8.8.8.8

Change-Id: I07d890df2d1b8d9c1736aa5e6dc36add4f46345b
2021-12-10 20:42:27 +08:00
Hungming Chen
cef08e5d58 [NC#2] clatd: allow clatd access raw and packet socket inherited from netd
Needed because the raw and packet socket setup are moved from
clatd to netd. Netd pass the configured raw and packet sockets
to clatd. clatd needs the permission to access inherited
objects.

Test: manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
   $ ping 8.8.8.8

Test:
Change-Id: If6479f815a37f56715d7650c714202fcc1ec466b
2021-12-10 20:42:00 +08:00
Maciej Żenczykowski
e397503f80 remove spurious clat selinux privs
Test: ran on flame with ipv6 only wifi network
Bug: 144642337
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5610b5e446ed1f2288edb12c665a5bddd69d6dae
2021-11-09 19:26:13 +00:00
Maciej Żenczykowski
44328c061d sepolicy - move public clatd to private
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary.  Netd is it's only launcher (via fork/exec) and
killer.

Generated via:
  { echo; cat public/clatd.te; echo; } >> private/clatd.te
  rm -f public/clatd.te

  plus a minor edit to put coredomain after clatd type declaration
  and required changes to move netd's clatd use out of public into private.

Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
2019-05-11 17:47:25 -07:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00