c471e4c08d
NetworkStack GTS tests need get network_watchlist_service and system_config_service to test their APIs which are used by module. But it will block by avc denied when trying to get these services. Thus, amend networkstack sepolicy that can get these services correctly. Bug: 185309847 Test: Verify GTS test can get service correctly. Change-Id: Icb18065e94d0026c3232cebb7d5eb39277fe7552
62 lines
2.9 KiB
Text
62 lines
2.9 KiB
Text
# Networking service app
|
|
typeattribute network_stack coredomain, mlstrustedsubject;
|
|
|
|
app_domain(network_stack);
|
|
net_domain(network_stack);
|
|
|
|
allow network_stack self:global_capability_class_set {
|
|
net_admin
|
|
net_bind_service
|
|
net_broadcast
|
|
net_raw
|
|
};
|
|
|
|
# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
|
|
allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
# The DhcpClient uses packet_sockets
|
|
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
|
|
|
|
# Monitor neighbors via netlink.
|
|
allow network_stack self:netlink_route_socket nlmsg_write;
|
|
|
|
allow network_stack app_api_service:service_manager find;
|
|
allow network_stack dnsresolver_service:service_manager find;
|
|
allow network_stack netd_service:service_manager find;
|
|
allow network_stack network_watchlist_service:service_manager find;
|
|
allow network_stack radio_service:service_manager find;
|
|
allow network_stack system_config_service:service_manager find;
|
|
allow network_stack radio_data_file:dir create_dir_perms;
|
|
allow network_stack radio_data_file:file create_file_perms;
|
|
|
|
binder_call(network_stack, netd);
|
|
|
|
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
|
# TODO: Remove this permission when 4.9 kernel is deprecated.
|
|
allow network_stack self:key_socket create;
|
|
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
|
|
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
|
|
dontaudit network_stack self:key_socket getopt;
|
|
|
|
# Grant read permission of connectivity namespace system property prefix.
|
|
get_prop(network_stack, device_config_connectivity_prop)
|
|
|
|
# Create/use netlink_tcpdiag_socket to get tcp info
|
|
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
|
############### Tethering Service app - Tethering.apk ##############
|
|
hal_client_domain(network_stack, hal_tetheroffload)
|
|
# Create and share netlink_netfilter_sockets for tetheroffload.
|
|
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
|
allow network_stack network_stack_service:service_manager find;
|
|
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
|
|
allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
|
|
allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
|
|
allow network_stack bpfloader:bpf { map_read map_write prog_run };
|
|
|
|
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
|
|
# Unfortunately init/vendor_init have all sorts of extra privs
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
|
|
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
|
|
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
|
|
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
|