Home | History | Annotate | Download | only in sepolicy 
      1 # network manager
      2 type netd, domain;
      3 type netd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(netd)
      6 allow netd self:capability { net_admin net_raw kill fsetid };
      7 allow netd self:netlink_kobject_uevent_socket *;
      8 allow netd self:netlink_route_socket *;
      9 allow netd self:netlink_nflog_socket *;
     10 allow netd self:rawip_socket *;
     11 allow netd self:{ tcp_socket udp_socket } *;
     12 allow netd node:{ tcp_socket udp_socket } node_bind;
     13 allow netd port:{ tcp_socket udp_socket } name_bind;
     14 allow netd port:tcp_socket name_connect;
     15 allow netd self:unix_stream_socket *;
     16 allow netd shell_exec:file rx_file_perms;
     17 allow netd system_file:file x_file_perms;
     18 allow netd devpts:chr_file rw_file_perms;
     19 
     20 # For /proc/sys/net/ipv[46]/route/flush.
     21 # XXX Split /proc/sys/net into its own type.
     22 allow netd proc:file write;
     23 
     24 # For /sys/modules/bcmdhd/parameters/firmware_path
     25 # XXX Split into its own type.
     26 allow netd sysfs:file write;
     27 
     28 # Set dhcp lease for PAN connection
     29 unix_socket_connect(netd, property, init)
     30 allow netd system_prop:property_service set;
     31 
     32 # Connect to PAN
     33 domain_auto_trans(netd, dhcp_exec, dhcp)
     34 allow netd dhcp:process signal;
     35 
     36 # Needed to update /data/misc/wifi/hostapd.conf
     37 # TODO: See what we can do to reduce the need for
     38 # these capabilities
     39 allow netd self:capability { dac_override chown fowner };
     40 allow netd wifi_data_file:file create_file_perms;
     41 allow netd wifi_data_file:dir rw_dir_perms;
     42 
     43 # Allow netd to spawn hostapd in it's own domain
     44 domain_auto_trans(netd, hostapd_exec, hostapd)
     45 allow netd hostapd:process signal;
     46 
     47 # Allow netd to spawn dnsmasq in it's own domain
     48 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
     49 allow netd dnsmasq:process signal;
     50 
     51 # Allow netd to start clatd in its own domain
     52 domain_auto_trans(netd, clatd_exec, clatd)
     53 allow netd clatd:process signal;
     54 
     55 # Support netd running mdnsd
     56 # TODO: prune this back further
     57 allow netd ctl_default_prop:property_service set;
     58 allow netd device:sock_file write;
     59 
     60 ###
     61 ### Neverallow rules
     62 ###
     63 ### netd should NEVER do any of this
     64 
     65 # Block device access.
     66 neverallow netd dev_type:blk_file { read write };
     67 
     68 # Kernel memory access.
     69 neverallow netd kmem_device:chr_file { read write };
     70 
     71 # Setting SELinux enforcing status or booleans.
     72 # Conditionally allowed to system_app for SEAndroidManager.
     73 neverallow netd kernel:security { setenforce setbool };
     74 
     75 # Load security policy.
     76 neverallow netd kernel:security load_policy;
     77 
     78 # ptrace any other app
     79 neverallow netd { domain }:process ptrace;
     80 
     81 # Write to /system.
     82 neverallow netd system_file:dir_file_class_set write;
     83 
     84 # Write to files in /data/data or system files on /data
     85 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
     86