9fa11b771b
This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:
1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
net_stable_secret_vendor_prop) and applying it to
persist.netd.stable_secret results in the device not booting
due to attempting to apply two different contexts to the same
property.
Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.
Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.
This reverts commit abb1ba6532
.
Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709
110 lines
3.9 KiB
Text
110 lines
3.9 KiB
Text
# network manager
|
|
type netd, domain, mlstrustedsubject;
|
|
type netd_exec, exec_type, file_type;
|
|
|
|
net_domain(netd)
|
|
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
|
|
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
r_dir_file(netd, cgroup)
|
|
allow netd system_server:fd use;
|
|
|
|
allow netd self:capability { net_admin net_raw kill };
|
|
# Note: fsetid is deliberately not included above. fsetid checks are
|
|
# triggered by chmod on a directory or file owned by a group other
|
|
# than one of the groups assigned to the current process to see if
|
|
# the setgid bit should be cleared, regardless of whether the setgid
|
|
# bit was even set. We do not appear to truly need this capability
|
|
# for netd to operate.
|
|
dontaudit netd self:capability fsetid;
|
|
|
|
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
allow netd self:netlink_route_socket nlmsg_write;
|
|
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
|
|
allow netd self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
|
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
|
allow netd shell_exec:file rx_file_perms;
|
|
allow netd system_file:file x_file_perms;
|
|
not_full_treble(`allow netd vendor_file:file x_file_perms;')
|
|
allow netd devpts:chr_file rw_file_perms;
|
|
|
|
# Acquire advisory lock on /system/etc/xtables.lock
|
|
allow netd system_file:file lock;
|
|
|
|
r_dir_file(netd, proc_net)
|
|
# For /proc/sys/net/ipv[46]/route/flush.
|
|
allow netd proc_net:file rw_file_perms;
|
|
|
|
# Enables PppController and interface enumeration (among others)
|
|
r_dir_file(netd, sysfs_type)
|
|
# Allows setting interface MTU
|
|
allow netd sysfs:file write;
|
|
|
|
# TODO: added to match above sysfs rule. Remove me?
|
|
allow netd sysfs_usb:file write;
|
|
|
|
# TODO: netd previously thought it needed these permissions to do WiFi related
|
|
# work. However, after all the WiFi stuff is gone, we still need them.
|
|
# Why?
|
|
allow netd self:capability { dac_override chown };
|
|
|
|
# Needed to update /data/misc/net/rt_tables
|
|
allow netd net_data_file:file create_file_perms;
|
|
allow netd net_data_file:dir rw_dir_perms;
|
|
allow netd self:capability fowner;
|
|
|
|
# Allow netd to spawn dnsmasq in it's own domain
|
|
allow netd dnsmasq:process signal;
|
|
|
|
# Allow netd to start clatd in its own domain
|
|
allow netd clatd:process signal;
|
|
|
|
set_prop(netd, ctl_mdnsd_prop)
|
|
|
|
# Allow netd to publish a binder service and make binder calls.
|
|
binder_use(netd)
|
|
add_service(netd, netd_service)
|
|
allow netd dumpstate:fifo_file { getattr write };
|
|
|
|
# Allow netd to call into the system server so it can check permissions.
|
|
allow netd system_server:binder call;
|
|
allow netd permission_service:service_manager find;
|
|
|
|
# Allow netd to talk to the framework service which collects netd events.
|
|
allow netd netd_listener_service:service_manager find;
|
|
|
|
# Allow netd to operate on sockets that are passed to it.
|
|
allow netd netdomain:{
|
|
tcp_socket
|
|
udp_socket
|
|
rawip_socket
|
|
tun_socket
|
|
} { read write getattr setattr getopt setopt };
|
|
allow netd netdomain:fd use;
|
|
|
|
# give netd permission to read and write netlink xfrm
|
|
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### netd should NEVER do any of this
|
|
|
|
# Block device access.
|
|
neverallow netd dev_type:blk_file { read write };
|
|
|
|
# ptrace any other app
|
|
neverallow netd { domain }:process ptrace;
|
|
|
|
# Write to /system.
|
|
neverallow netd system_file:dir_file_class_set write;
|
|
|
|
# Write to files in /data/data or system files on /data
|
|
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
|
|
|
|
# only system_server, dumpstate and netd may interact with netd over binder
|
|
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
|
|
neverallow { domain -system_server -dumpstate } netd:binder call;
|
|
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
|