6598175e06
Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325
65 lines
3 KiB
Text
65 lines
3 KiB
Text
# Networking service app
|
|
typeattribute network_stack coredomain;
|
|
typeattribute network_stack mlstrustedsubject;
|
|
typeattribute network_stack bpfdomain;
|
|
|
|
app_domain(network_stack);
|
|
net_domain(network_stack);
|
|
|
|
allow network_stack self:global_capability_class_set {
|
|
net_admin
|
|
net_bind_service
|
|
net_broadcast
|
|
net_raw
|
|
};
|
|
|
|
# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
|
|
allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
# The DhcpClient uses packet_sockets
|
|
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
|
|
|
|
# Monitor neighbors via netlink.
|
|
allow network_stack self:netlink_route_socket nlmsg_write;
|
|
|
|
allow network_stack app_api_service:service_manager find;
|
|
allow network_stack dnsresolver_service:service_manager find;
|
|
allow network_stack mdns_service:service_manager find;
|
|
allow network_stack netd_service:service_manager find;
|
|
allow network_stack network_watchlist_service:service_manager find;
|
|
allow network_stack radio_service:service_manager find;
|
|
allow network_stack system_config_service:service_manager find;
|
|
allow network_stack radio_data_file:dir create_dir_perms;
|
|
allow network_stack radio_data_file:file create_file_perms;
|
|
|
|
binder_call(network_stack, netd);
|
|
|
|
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
|
# TODO: Remove this permission when 4.9 kernel is deprecated.
|
|
allow network_stack self:key_socket create;
|
|
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
|
|
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
|
|
dontaudit network_stack self:key_socket getopt;
|
|
|
|
# Grant read permission of connectivity namespace system property prefix.
|
|
get_prop(network_stack, device_config_connectivity_prop)
|
|
|
|
# Create/use netlink_tcpdiag_socket to get tcp info
|
|
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
|
############### Tethering Service app - Tethering.apk ##############
|
|
hal_client_domain(network_stack, hal_tetheroffload)
|
|
# Create and share netlink_netfilter_sockets for tetheroffload.
|
|
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
|
allow network_stack network_stack_service:service_manager find;
|
|
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
|
|
allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
|
|
allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
|
|
allow network_stack bpfloader:bpf { map_read map_write prog_run };
|
|
|
|
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
|
|
# Unfortunately init/vendor_init have all sorts of extra privs
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
|
|
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
|