Home | History | Annotate | Download | only in public 
      1 # network manager
      2 type netd, domain, mlstrustedsubject;
      3 type netd_exec, exec_type, file_type;
      4 
      5 net_domain(netd)
      6 # in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
      7 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
      8 
      9 r_dir_file(netd, cgroup)
     10 allow netd system_server:fd use;
     11 
     12 allow netd self:capability { net_admin net_raw kill };
     13 # Note: fsetid is deliberately not included above. fsetid checks are
     14 # triggered by chmod on a directory or file owned by a group other
     15 # than one of the groups assigned to the current process to see if
     16 # the setgid bit should be cleared, regardless of whether the setgid
     17 # bit was even set.  We do not appear to truly need this capability
     18 # for netd to operate.
     19 dontaudit netd self:capability fsetid;
     20 
     21 allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
     22 allow netd self:netlink_route_socket nlmsg_write;
     23 allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
     24 allow netd self:netlink_socket create_socket_perms_no_ioctl;
     25 allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
     26 allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
     27 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
     28 allow netd shell_exec:file rx_file_perms;
     29 allow netd system_file:file x_file_perms;
     30 not_full_treble(`allow netd vendor_file:file x_file_perms;')
     31 allow netd devpts:chr_file rw_file_perms;
     32 
     33 # Acquire advisory lock on /system/etc/xtables.lock
     34 allow netd system_file:file lock;
     35 
     36 r_dir_file(netd, proc_net)
     37 # For /proc/sys/net/ipv[46]/route/flush.
     38 allow netd proc_net:file rw_file_perms;
     39 
     40 # Enables PppController and interface enumeration (among others)
     41 r_dir_file(netd, sysfs_type)
     42 # Allows setting interface MTU
     43 allow netd sysfs:file write;
     44 
     45 # TODO: added to match above sysfs rule. Remove me?
     46 allow netd sysfs_usb:file write;
     47 
     48 # TODO: netd previously thought it needed these permissions to do WiFi related
     49 #       work.  However, after all the WiFi stuff is gone, we still need them.
     50 #       Why?
     51 allow netd self:capability { dac_override chown };
     52 
     53 # Needed to update /data/misc/net/rt_tables
     54 allow netd net_data_file:file create_file_perms;
     55 allow netd net_data_file:dir rw_dir_perms;
     56 allow netd self:capability fowner;
     57 
     58 # Needed to lock the iptables lock.
     59 allow netd system_file:file lock;
     60 
     61 # Allow netd to spawn dnsmasq in it's own domain
     62 allow netd dnsmasq:process signal;
     63 
     64 # Allow netd to start clatd in its own domain
     65 allow netd clatd:process signal;
     66 
     67 set_prop(netd, ctl_mdnsd_prop)
     68 set_prop(netd, netd_stable_secret_prop)
     69 
     70 # Allow netd to publish a binder service and make binder calls.
     71 binder_use(netd)
     72 add_service(netd, netd_service)
     73 allow netd dumpstate:fifo_file  { getattr write };
     74 
     75 # Allow netd to call into the system server so it can check permissions.
     76 allow netd system_server:binder call;
     77 allow netd permission_service:service_manager find;
     78 
     79 # Allow netd to talk to the framework service which collects netd events.
     80 allow netd netd_listener_service:service_manager find;
     81 
     82 # Allow netd to operate on sockets that are passed to it.
     83 allow netd netdomain:{
     84   tcp_socket
     85   udp_socket
     86   rawip_socket
     87   tun_socket
     88 } { read write getattr setattr getopt setopt };
     89 allow netd netdomain:fd use;
     90 
     91 # give netd permission to read and write netlink xfrm
     92 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
     93 
     94 # Allow netd to register as hal server.
     95 add_hwservice(netd, system_net_netd_hwservice)
     96 hwbinder_use(netd)
     97 get_prop(netd, hwservicemanager_prop)
     98 
     99 ###
    100 ### Neverallow rules
    101 ###
    102 ### netd should NEVER do any of this
    103 
    104 # Block device access.
    105 neverallow netd dev_type:blk_file { read write };
    106 
    107 # ptrace any other app
    108 neverallow netd { domain }:process ptrace;
    109 
    110 # Write to /system.
    111 neverallow netd system_file:dir_file_class_set write;
    112 
    113 # Write to files in /data/data or system files on /data
    114 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
    115 
    116 # only system_server and dumpstate may find netd service
    117 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
    118 
    119 # apps may not interact with netd over binder.
    120 neverallow appdomain netd:binder call;
    121 neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
    122 
    123 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
    124 # leaked to other processes. Make sure it never leaks.
    125 neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
    126 
    127 # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
    128 # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
    129 neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
    130