Home | History | Annotate | Download | only in sepolicy
      1 # network manager
      2 type netd, domain, domain_deprecated, mlstrustedsubject;
      3 type netd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(netd)
      6 net_domain(netd)
      7 
      8 allow netd self:capability { net_admin net_raw kill };
      9 # Note: fsetid is deliberately not included above. fsetid checks are
     10 # triggered by chmod on a directory or file owned by a group other
     11 # than one of the groups assigned to the current process to see if
     12 # the setgid bit should be cleared, regardless of whether the setgid
     13 # bit was even set.  We do not appear to truly need this capability
     14 # for netd to operate.
     15 dontaudit netd self:capability fsetid;
     16 
     17 allow netd self:netlink_kobject_uevent_socket create_socket_perms;
     18 allow netd self:netlink_route_socket nlmsg_write;
     19 allow netd self:netlink_nflog_socket create_socket_perms;
     20 allow netd self:netlink_socket create_socket_perms;
     21 allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
     22 allow netd self:netlink_generic_socket create_socket_perms;
     23 allow netd self:netlink_netfilter_socket create_socket_perms;
     24 allow netd shell_exec:file rx_file_perms;
     25 allow netd system_file:file x_file_perms;
     26 allow netd devpts:chr_file rw_file_perms;
     27 
     28 # For /proc/sys/net/ipv[46]/route/flush.
     29 allow netd proc_net:file write;
     30 
     31 # For /sys/modules/bcmdhd/parameters/firmware_path
     32 # XXX Split into its own type.
     33 allow netd sysfs:file write;
     34 
     35 # TODO: added to match above sysfs rule. Remove me?
     36 allow netd sysfs_usb:file write;
     37 
     38 # Needed to update /data/misc/wifi/hostapd.conf
     39 # TODO: See what we can do to reduce the need for
     40 # these capabilities
     41 allow netd self:capability { dac_override chown fowner };
     42 allow netd wifi_data_file:file create_file_perms;
     43 allow netd wifi_data_file:dir rw_dir_perms;
     44 
     45 # Needed to update /data/misc/net/rt_tables
     46 allow netd net_data_file:file create_file_perms;
     47 allow netd net_data_file:dir rw_dir_perms;
     48 
     49 # Allow netd to spawn hostapd in it's own domain
     50 domain_auto_trans(netd, hostapd_exec, hostapd)
     51 allow netd hostapd:process signal;
     52 
     53 # Allow netd to spawn dnsmasq in it's own domain
     54 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
     55 allow netd dnsmasq:process signal;
     56 
     57 # Allow netd to start clatd in its own domain
     58 domain_auto_trans(netd, clatd_exec, clatd)
     59 allow netd clatd:process signal;
     60 
     61 set_prop(netd, ctl_mdnsd_prop)
     62 
     63 # Allow netd to publish a binder service and make binder calls.
     64 binder_use(netd)
     65 allow netd netd_service:service_manager add;
     66 allow netd dumpstate:fifo_file  { getattr write };
     67 
     68 # Allow netd to call into the system server so it can check permissions.
     69 allow netd system_server:binder call;
     70 allow netd permission_service:service_manager find;
     71 
     72 # Allow netd to talk to the framework service which collects DNS query metrics.
     73 allow netd dns_listener_service:service_manager find;
     74 
     75 # Allow netd to operate on sockets that are passed to it.
     76 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
     77 allow netd netdomain:fd use;
     78 
     79 
     80 ###
     81 ### Neverallow rules
     82 ###
     83 ### netd should NEVER do any of this
     84 
     85 # Block device access.
     86 neverallow netd dev_type:blk_file { read write };
     87 
     88 # ptrace any other app
     89 neverallow netd { domain }:process ptrace;
     90 
     91 # Write to /system.
     92 neverallow netd system_file:dir_file_class_set write;
     93 
     94 # Write to files in /data/data or system files on /data
     95 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
     96 
     97 # only system_server and dumpstate may interact with netd over binder
     98 neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
     99 neverallow { domain -system_server -dumpstate } netd:binder call;
    100 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
    101