platform_system_sepolicy/private/netd.te
Maciej Żenczykowski 28960d319a allow non bpfloader creation of bpf maps
In practice only bpf programs are critical to device security...

Normally there is basically no use for creating bpf maps outside
of the bpfloader, since they have to be tied directly into the bpf
programs (which is only ever done by the bpfloader during the boot
process) to be of any use.

This means that bpf maps created after the bpfloader is done,
can't actually be used by any bpf code...

Hence we had this restriction.

However, map-in-map support changes this:

It becomes possible to define a boot-time (bpfloader loaded)
bpf program which accesses an (initially empty) outer map
(created by the bpfloader).

This outer map can be populated with inner maps at run time by various
bpf using userspace code.  While it can be populated with bpfloader
created 'static' maps, it also makes sense to be able to create/destroy
these inner maps on demand 'dynamically'.

This allows bpf map memory utilization to be driven by actual runtime
device needs.  For example scaling with the number of users, apps,
or connected networks.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I93223c660463596c9e50065be819e2fd865da923
2024-05-04 11:02:13 +00:00

232 lines
8.2 KiB
Text

typeattribute netd coredomain;
typeattribute netd bpfdomain;
init_daemon_domain(netd)
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking
allow netd bpfloader:bpf prog_run;
allow netd self:bpf map_create;
allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
set_prop(netd, ctl_mdnsd_prop)
set_prop(netd, netd_stable_secret_prop)
get_prop(netd, adbd_config_prop)
get_prop(netd, hwservicemanager_prop)
get_prop(netd, device_config_netd_native_prop)
# Allow netd to write to statsd.
unix_socket_send(netd, statsdw, statsd)
# Allow netd to send callbacks to network_stack
binder_call(netd, network_stack)
# Allow netd to send dump info to dumpstate
allow netd dumpstate:fd use;
allow netd dumpstate:fifo_file { getattr write };
net_domain(netd)
# Connect to mdnsd via mdnsd socket.
unix_socket_connect(netd, mdnsd, mdnsd)
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for netd to operate.
dontaudit netd self:global_capability_class_set fsetid;
# Allow netd to open /dev/tun, set it up and pass it to clatd
allow netd tun_device:chr_file rw_file_perms;
allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
allow netd self:tun_socket create;
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow netd self:netlink_socket create_socket_perms_no_ioctl;
allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
# exist, suppress the denial.
allow netd system_file:file lock;
dontaudit netd system_file:dir write;
# Allow netd to write to qtaguid ctrl file.
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
# after migration complete
allow netd proc_qtaguid_ctrl:file rw_file_perms;
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file r_file_perms;
r_dir_file(netd, proc_net_type)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net_type:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir r_dir_perms;
r_dir_file(netd, sysfs_net)
# Allows setting interface MTU
allow netd sysfs_net:file w_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
r_dir_file(netd, cgroup_v2)
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
allow netd self:global_capability_class_set { dac_override dac_read_search chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
allow netd self:global_capability_class_set fowner;
# Needed to lock the iptables lock.
allow netd system_file:file lock;
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process { sigkill signal };
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
add_service(netd, netd_service)
add_service(netd, dnsresolver_service)
add_service(netd, mdns_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call;
allow netd permission_service:service_manager find;
# Allow netd to talk to the framework service which collects netd events.
allow netd netd_listener_service:service_manager find;
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{
icmp_socket
tcp_socket
udp_socket
rawip_socket
tun_socket
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
# AIDL hal server
binder_call(system_net_netd_service, servicemanager)
add_service(netd, system_net_netd_service)
###
### Neverallow rules
###
### netd should NEVER do any of this
# Block device access.
neverallow netd dev_type:blk_file { read write };
# ptrace any other app
neverallow netd { domain }:process ptrace;
# Write to /system.
neverallow netd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
# only system_server, dumpstate and network stack app may find netd service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
-netutils_wrapper
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
-netutils_wrapper
} dnsresolver_service:service_manager find;
# only system_server, dumpstate and network stack app may find mdns service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
-netutils_wrapper
} mdns_service:service_manager find;
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
neverallow netd proc_net:dir no_w_dir_perms;
dontaudit netd proc_net:dir write;
neverallow netd sysfs_net:dir no_w_dir_perms;
dontaudit netd sysfs_net:dir write;
# Netd should not have SYS_ADMIN privs.
neverallow netd self:capability sys_admin;
dontaudit netd self:capability sys_admin;
# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
dontaudit netd appdomain:unix_stream_socket { read write };
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;