91ebcf3332
The patch in 36a5d109e6 wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.
Fixes the following denial:
<5>[ 82.120746] type=1400 audit(1830030.349:5): avc: denied { name_connect } for pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631
Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
81 lines
2.5 KiB
Text
81 lines
2.5 KiB
Text
# network manager
|
|
type netd, domain;
|
|
type netd_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(netd)
|
|
allow netd self:capability { net_admin net_raw kill };
|
|
allow netd self:netlink_kobject_uevent_socket *;
|
|
allow netd self:netlink_route_socket *;
|
|
allow netd self:netlink_nflog_socket *;
|
|
allow netd self:rawip_socket *;
|
|
allow netd self:{ tcp_socket udp_socket } *;
|
|
allow netd node:{ tcp_socket udp_socket } node_bind;
|
|
allow netd port:{ tcp_socket udp_socket } name_bind;
|
|
allow netd port:tcp_socket name_connect;
|
|
allow netd self:unix_stream_socket *;
|
|
allow netd shell_exec:file rx_file_perms;
|
|
allow netd system_file:file x_file_perms;
|
|
allow netd devpts:chr_file rw_file_perms;
|
|
|
|
# For /proc/sys/net/ipv[46]/route/flush.
|
|
# XXX Split /proc/sys/net into its own type.
|
|
allow netd proc:file write;
|
|
|
|
# For /sys/modules/bcmdhd/parameters/firmware_path
|
|
# XXX Split into its own type.
|
|
allow netd sysfs:file write;
|
|
|
|
# Set dhcp lease for PAN connection
|
|
unix_socket_connect(netd, property, init)
|
|
allow netd system_prop:property_service set;
|
|
|
|
# Connect to PAN
|
|
domain_auto_trans(netd, dhcp_exec, dhcp)
|
|
allow netd dhcp:process signal;
|
|
|
|
# Needed to update /data/misc/wifi/hostapd.conf
|
|
# TODO: See what we can do to reduce the need for
|
|
# these capabilities
|
|
allow netd self:capability { dac_override chown fowner };
|
|
allow netd wifi_data_file:file create_file_perms;
|
|
allow netd wifi_data_file:dir rw_dir_perms;
|
|
|
|
# Allow netd to spawn hostapd in it's own domain
|
|
domain_auto_trans(netd, hostapd_exec, hostapd)
|
|
allow netd hostapd:process signal;
|
|
|
|
# Allow netd to spawn dnsmasq in it's own domain
|
|
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
|
|
allow netd dnsmasq:process signal;
|
|
|
|
# Allow netd to start clatd in its own domain
|
|
domain_auto_trans(netd, clatd_exec, clatd)
|
|
allow netd clatd:process signal;
|
|
|
|
# Support netd running mdnsd
|
|
# TODO: prune this back further
|
|
allow netd ctl_default_prop:property_service set;
|
|
allow netd device:sock_file write;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### netd should NEVER do any of this
|
|
|
|
# Block device access.
|
|
neverallow netd dev_type:blk_file { read write };
|
|
|
|
# Setting SELinux enforcing status or booleans.
|
|
neverallow netd kernel:security { setenforce setbool };
|
|
|
|
# Load security policy.
|
|
neverallow netd kernel:security load_policy;
|
|
|
|
# ptrace any other app
|
|
neverallow netd { domain }:process ptrace;
|
|
|
|
# Write to /system.
|
|
neverallow netd system_file:dir_file_class_set write;
|
|
|
|
# Write to files in /data/data or system files on /data
|
|
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
|