platform_system_sepolicy/private/network_stack.te
Maciej Żenczykowski ebb45f9dea remove init/vendor_init access to bpffs_type
There should be no need for this and it fixes a long outstanding TODO.

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id1764cbc713addbbda6827fe6c6689e45e8f584c
2022-12-02 12:26:03 +00:00

101 lines
5.2 KiB
Text

# Networking service app
typeattribute network_stack coredomain;
typeattribute network_stack mlstrustedsubject;
typeattribute network_stack bpfdomain;
app_domain(network_stack);
net_domain(network_stack);
allow network_stack self:global_capability_class_set {
net_admin
net_bind_service
net_broadcast
net_raw
};
# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
# The DhcpClient uses packet_sockets
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
# Use netlink uevent sockets.
allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# give network_stack the same netlink permissions as netd
allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
allow network_stack system_config_service:service_manager find;
allow network_stack radio_data_file:dir create_dir_perms;
allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit network_stack self:key_socket getopt;
# Grant read permission of connectivity namespace system property prefix.
get_prop(network_stack, device_config_connectivity_prop)
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
hal_client_domain(network_stack, hal_tetheroffload)
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
# Use XFRM (IPsec) netlink sockets
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# tun device used for 3rd party vpn apps and test network manager
allow network_stack tun_device:chr_file rw_file_perms;
allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
############### NEVER ALLOW RULES
# This place is as good as any for these rules,
# and it is probably the most appropriate because
# network_stack itself is entirely mainline code.
# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
# netd's access should be readonly
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
neverallow netd fs_bpf_netd_readonly:file write;
# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
# netutils_wrapper requires access to be able to run iptables and only needs readonly access
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
neverallow netutils_wrapper fs_bpf_netd_shared:file write;
# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;