1 # network manager 2 type netd, domain, domain_deprecated, mlstrustedsubject; 3 type netd_exec, exec_type, file_type; 4 5 init_daemon_domain(netd) 6 net_domain(netd) 7 8 allow netd self:capability { net_admin net_raw kill }; 9 # Note: fsetid is deliberately not included above. fsetid checks are 10 # triggered by chmod on a directory or file owned by a group other 11 # than one of the groups assigned to the current process to see if 12 # the setgid bit should be cleared, regardless of whether the setgid 13 # bit was even set. We do not appear to truly need this capability 14 # for netd to operate. 15 dontaudit netd self:capability fsetid; 16 17 allow netd self:netlink_kobject_uevent_socket create_socket_perms; 18 allow netd self:netlink_route_socket nlmsg_write; 19 allow netd self:netlink_nflog_socket create_socket_perms; 20 allow netd self:netlink_socket create_socket_perms; 21 allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write }; 22 allow netd self:netlink_generic_socket create_socket_perms; 23 allow netd self:netlink_netfilter_socket create_socket_perms; 24 allow netd shell_exec:file rx_file_perms; 25 allow netd system_file:file x_file_perms; 26 allow netd devpts:chr_file rw_file_perms; 27 28 # For /proc/sys/net/ipv[46]/route/flush. 29 allow netd proc_net:file write; 30 31 # For /sys/modules/bcmdhd/parameters/firmware_path 32 # XXX Split into its own type. 33 allow netd sysfs:file write; 34 35 # TODO: added to match above sysfs rule. Remove me? 36 allow netd sysfs_usb:file write; 37 38 # Needed to update /data/misc/wifi/hostapd.conf 39 # TODO: See what we can do to reduce the need for 40 # these capabilities 41 allow netd self:capability { dac_override chown fowner }; 42 allow netd wifi_data_file:file create_file_perms; 43 allow netd wifi_data_file:dir rw_dir_perms; 44 45 # Needed to update /data/misc/net/rt_tables 46 allow netd net_data_file:file create_file_perms; 47 allow netd net_data_file:dir rw_dir_perms; 48 49 # Allow netd to spawn hostapd in it's own domain 50 domain_auto_trans(netd, hostapd_exec, hostapd) 51 allow netd hostapd:process signal; 52 53 # Allow netd to spawn dnsmasq in it's own domain 54 domain_auto_trans(netd, dnsmasq_exec, dnsmasq) 55 allow netd dnsmasq:process signal; 56 57 # Allow netd to start clatd in its own domain 58 domain_auto_trans(netd, clatd_exec, clatd) 59 allow netd clatd:process signal; 60 61 set_prop(netd, ctl_mdnsd_prop) 62 63 # Allow netd to publish a binder service and make binder calls. 64 binder_use(netd) 65 allow netd netd_service:service_manager add; 66 allow netd dumpstate:fifo_file { getattr write }; 67 68 # Allow netd to call into the system server so it can check permissions. 69 allow netd system_server:binder call; 70 allow netd permission_service:service_manager find; 71 72 # Allow netd to talk to the framework service which collects DNS query metrics. 73 allow netd dns_listener_service:service_manager find; 74 75 # Allow netd to operate on sockets that are passed to it. 76 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; 77 allow netd netdomain:fd use; 78 79 80 ### 81 ### Neverallow rules 82 ### 83 ### netd should NEVER do any of this 84 85 # Block device access. 86 neverallow netd dev_type:blk_file { read write }; 87 88 # ptrace any other app 89 neverallow netd { domain }:process ptrace; 90 91 # Write to /system. 92 neverallow netd system_file:dir_file_class_set write; 93 94 # Write to files in /data/data or system files on /data 95 neverallow netd { app_data_file system_data_file }:dir_file_class_set write; 96 97 # only system_server and dumpstate may interact with netd over binder 98 neverallow { domain -system_server -dumpstate } netd_service:service_manager find; 99 neverallow { domain -system_server -dumpstate } netd:binder call; 100 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call; 101