platform_system_sepolicy/netd.te
Stephen Smalley 45731c70ef Annotate MLS trusted subjects and objects.
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-08 16:06:40 -04:00

86 lines
2.9 KiB
Text

# network manager
type netd, domain, mlstrustedsubject;
type netd_exec, exec_type, file_type;
init_daemon_domain(netd)
net_domain(netd)
allow netd self:capability { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for netd to operate. Uncomment the dontaudit rule below after
# sufficient testing of the fsetid removal.
# dontaudit netd self:capability fsetid;
allow netd self:netlink_kobject_uevent_socket create_socket_perms;
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket create_socket_perms;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file write;
# For /sys/modules/bcmdhd/parameters/firmware_path
# XXX Split into its own type.
allow netd sysfs:file write;
# Set dhcp lease for PAN connection
unix_socket_connect(netd, property, init)
allow netd dhcp_prop:property_service set;
allow netd system_prop:property_service set;
auditallow netd system_prop:property_service set;
# Connect to PAN
domain_auto_trans(netd, dhcp_exec, dhcp)
allow netd dhcp:process signal;
# Needed to update /data/misc/wifi/hostapd.conf
# TODO: See what we can do to reduce the need for
# these capabilities
allow netd self:capability { dac_override chown fowner };
allow netd wifi_data_file:file create_file_perms;
allow netd wifi_data_file:dir rw_dir_perms;
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
# Allow netd to spawn hostapd in it's own domain
domain_auto_trans(netd, hostapd_exec, hostapd)
allow netd hostapd:process signal;
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd dnsmasq:process signal;
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
allow netd clatd:process signal;
allow netd ctl_mdnsd_prop:property_service set;
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
###
### Neverallow rules
###
### netd should NEVER do any of this
# Block device access.
neverallow netd dev_type:blk_file { read write };
# ptrace any other app
neverallow netd { domain }:process ptrace;
# Write to /system.
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;