Home | History | Annotate | Download | only in sepolicy 
      1 # network manager
      2 type netd, domain;
      3 type netd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(netd)
      6 net_domain(netd)
      7 
      8 allow netd self:capability { net_admin net_raw kill };
      9 # Note: fsetid is deliberately not included above. fsetid checks are
     10 # triggered by chmod on a directory or file owned by a group other
     11 # than one of the groups assigned to the current process to see if
     12 # the setgid bit should be cleared, regardless of whether the setgid
     13 # bit was even set.  We do not appear to truly need this capability
     14 # for netd to operate.  Uncomment the dontaudit rule below after
     15 # sufficient testing of the fsetid removal.
     16 # dontaudit netd self:capability fsetid;
     17 
     18 allow netd self:netlink_kobject_uevent_socket create_socket_perms;
     19 allow netd self:netlink_route_socket nlmsg_write;
     20 allow netd self:netlink_nflog_socket create_socket_perms;
     21 allow netd shell_exec:file rx_file_perms;
     22 allow netd system_file:file x_file_perms;
     23 allow netd devpts:chr_file rw_file_perms;
     24 
     25 # For /proc/sys/net/ipv[46]/route/flush.
     26 allow netd proc_net:file write;
     27 
     28 # For /sys/modules/bcmdhd/parameters/firmware_path
     29 # XXX Split into its own type.
     30 allow netd sysfs:file write;
     31 
     32 # Set dhcp lease for PAN connection
     33 unix_socket_connect(netd, property, init)
     34 allow netd dhcp_prop:property_service set;
     35 allow netd system_prop:property_service set;
     36 auditallow netd system_prop:property_service set;
     37 
     38 # Connect to PAN
     39 domain_auto_trans(netd, dhcp_exec, dhcp)
     40 allow netd dhcp:process signal;
     41 
     42 # Needed to update /data/misc/wifi/hostapd.conf
     43 # TODO: See what we can do to reduce the need for
     44 # these capabilities
     45 allow netd self:capability { dac_override chown fowner };
     46 allow netd wifi_data_file:file create_file_perms;
     47 allow netd wifi_data_file:dir rw_dir_perms;
     48 
     49 # Needed to update /data/misc/net/rt_tables
     50 allow netd net_data_file:file create_file_perms;
     51 allow netd net_data_file:dir rw_dir_perms;
     52 
     53 # Allow netd to spawn hostapd in it's own domain
     54 domain_auto_trans(netd, hostapd_exec, hostapd)
     55 allow netd hostapd:process signal;
     56 
     57 # Allow netd to spawn dnsmasq in it's own domain
     58 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
     59 allow netd dnsmasq:process signal;
     60 
     61 # Allow netd to start clatd in its own domain
     62 domain_auto_trans(netd, clatd_exec, clatd)
     63 allow netd clatd:process signal;
     64 
     65 allow netd ctl_mdnsd_prop:property_service set;
     66 
     67 # Allow netd to operate on sockets that are passed to it.
     68 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
     69 allow netd netdomain:fd use;
     70 
     71 ###
     72 ### Neverallow rules
     73 ###
     74 ### netd should NEVER do any of this
     75 
     76 # Block device access.
     77 neverallow netd dev_type:blk_file { read write };
     78 
     79 # ptrace any other app
     80 neverallow netd { domain }:process ptrace;
     81 
     82 # Write to /system.
     83 neverallow netd system_file:dir_file_class_set write;
     84 
     85 # Write to files in /data/data or system files on /data
     86 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
     87