Home | History | Annotate | Download | only in sepolicy 
      1 # network manager
      2 type netd, domain, mlstrustedsubject;
      3 type netd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(netd)
      6 net_domain(netd)
      7 
      8 allow netd self:capability { net_admin net_raw kill };
      9 # Note: fsetid is deliberately not included above. fsetid checks are
     10 # triggered by chmod on a directory or file owned by a group other
     11 # than one of the groups assigned to the current process to see if
     12 # the setgid bit should be cleared, regardless of whether the setgid
     13 # bit was even set.  We do not appear to truly need this capability
     14 # for netd to operate.
     15 dontaudit netd self:capability fsetid;
     16 
     17 allow netd self:netlink_kobject_uevent_socket create_socket_perms;
     18 allow netd self:netlink_route_socket nlmsg_write;
     19 allow netd self:netlink_nflog_socket create_socket_perms;
     20 allow netd self:netlink_socket create_socket_perms;
     21 allow netd shell_exec:file rx_file_perms;
     22 allow netd system_file:file x_file_perms;
     23 allow netd devpts:chr_file rw_file_perms;
     24 
     25 # For /proc/sys/net/ipv[46]/route/flush.
     26 allow netd proc_net:file write;
     27 
     28 # For /sys/modules/bcmdhd/parameters/firmware_path
     29 # XXX Split into its own type.
     30 allow netd sysfs:file write;
     31 
     32 # Set dhcp lease for PAN connection
     33 set_prop(netd, dhcp_prop)
     34 set_prop(netd, system_prop)
     35 auditallow netd system_prop:property_service set;
     36 
     37 # Connect to PAN
     38 domain_auto_trans(netd, dhcp_exec, dhcp)
     39 allow netd dhcp:process signal;
     40 
     41 # Needed to update /data/misc/wifi/hostapd.conf
     42 # TODO: See what we can do to reduce the need for
     43 # these capabilities
     44 allow netd self:capability { dac_override chown fowner };
     45 allow netd wifi_data_file:file create_file_perms;
     46 allow netd wifi_data_file:dir rw_dir_perms;
     47 
     48 # Needed to update /data/misc/net/rt_tables
     49 allow netd net_data_file:file create_file_perms;
     50 allow netd net_data_file:dir rw_dir_perms;
     51 
     52 # Allow netd to spawn hostapd in it's own domain
     53 domain_auto_trans(netd, hostapd_exec, hostapd)
     54 allow netd hostapd:process signal;
     55 
     56 # Allow netd to spawn dnsmasq in it's own domain
     57 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
     58 allow netd dnsmasq:process signal;
     59 
     60 # Allow netd to start clatd in its own domain
     61 domain_auto_trans(netd, clatd_exec, clatd)
     62 allow netd clatd:process signal;
     63 
     64 set_prop(netd, ctl_mdnsd_prop)
     65 
     66 # Allow netd to operate on sockets that are passed to it.
     67 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
     68 allow netd netdomain:fd use;
     69 
     70 ###
     71 ### Neverallow rules
     72 ###
     73 ### netd should NEVER do any of this
     74 
     75 # Block device access.
     76 neverallow netd dev_type:blk_file { read write };
     77 
     78 # ptrace any other app
     79 neverallow netd { domain }:process ptrace;
     80 
     81 # Write to /system.
     82 neverallow netd system_file:dir_file_class_set write;
     83 
     84 # Write to files in /data/data or system files on /data
     85 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
     86