15c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# network manager 25c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmantype netd, domain, mlstrustedsubject; 35c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmantype netd_exec, exec_type, file_type; 45c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 55c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmannet_domain(netd) 65c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. 75c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallowxperm netd self:udp_socket ioctl priv_sock_ioctls; 85c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 95c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanr_dir_file(netd, cgroup) 105c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd system_server:fd use; 115c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 125c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:capability { net_admin net_raw kill }; 135c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Note: fsetid is deliberately not included above. fsetid checks are 145c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# triggered by chmod on a directory or file owned by a group other 155c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# than one of the groups assigned to the current process to see if 165c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# the setgid bit should be cleared, regardless of whether the setgid 175c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# bit was even set. We do not appear to truly need this capability 185c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# for netd to operate. 195c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmandontaudit netd self:capability fsetid; 205c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 215c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 225c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_route_socket nlmsg_write; 235c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_nflog_socket create_socket_perms_no_ioctl; 245c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_socket create_socket_perms_no_ioctl; 255c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 265c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_generic_socket create_socket_perms_no_ioctl; 275c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl; 285c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd shell_exec:file rx_file_perms; 295c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd system_file:file x_file_perms; 305c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmannot_full_treble(`allow netd vendor_file:file x_file_perms;') 315c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd devpts:chr_file rw_file_perms; 325c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 335c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Acquire advisory lock on /system/etc/xtables.lock 345c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd system_file:file lock; 355c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 365c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanr_dir_file(netd, proc_net) 375c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# For /proc/sys/net/ipv[46]/route/flush. 385c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd proc_net:file rw_file_perms; 395c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 405c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Enables PppController and interface enumeration (among others) 415c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanr_dir_file(netd, sysfs_type) 425c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Allows setting interface MTU 435c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd sysfs:file write; 445c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 455c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# TODO: added to match above sysfs rule. Remove me? 465c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd sysfs_usb:file write; 475c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 485c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# TODO: netd previously thought it needed these permissions to do WiFi related 495c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# work. However, after all the WiFi stuff is gone, we still need them. 505c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Why? 515c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:capability { dac_override chown }; 525c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 535c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Needed to update /data/misc/net/rt_tables 545c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd net_data_file:file create_file_perms; 555c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd net_data_file:dir rw_dir_perms; 565c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:capability fowner; 575c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 585c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Allow netd to spawn dnsmasq in it's own domain 595c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd dnsmasq:process signal; 605c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 615c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Allow netd to start clatd in its own domain 625c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd clatd:process signal; 635c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 645c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanset_prop(netd, ctl_mdnsd_prop) 655c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 665c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Allow netd to publish a binder service and make binder calls. 675c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanbinder_use(netd) 685c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanadd_service(netd, netd_service) 695c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd dumpstate:fifo_file { getattr write }; 705c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 715c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Allow netd to call into the system server so it can check permissions. 725c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd system_server:binder call; 735c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd permission_service:service_manager find; 745c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 755c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Allow netd to talk to the framework service which collects netd events. 765c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd netd_listener_service:service_manager find; 775c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 785c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Allow netd to operate on sockets that are passed to it. 795c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd netdomain:{ 805c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman tcp_socket 815c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman udp_socket 825c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman rawip_socket 835c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman tun_socket 845c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman} { read write getattr setattr getopt setopt }; 855c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd netdomain:fd use; 865c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 875c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# give netd permission to read and write netlink xfrm 885c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanallow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 895c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 905c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman### 915c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman### Neverallow rules 925c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman### 935c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman### netd should NEVER do any of this 945c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 955c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Block device access. 965c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanneverallow netd dev_type:blk_file { read write }; 975c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 985c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# ptrace any other app 995c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanneverallow netd { domain }:process ptrace; 1005c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 1015c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Write to /system. 1025c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanneverallow netd system_file:dir_file_class_set write; 1035c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 1045c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# Write to files in /data/data or system files on /data 1055c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanneverallow netd { app_data_file system_data_file }:dir_file_class_set write; 1065c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman 1075c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashman# only system_server, dumpstate and netd may interact with netd over binder 1085c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanneverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find; 1095c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanneverallow { domain -system_server -dumpstate } netd:binder call; 1105c6a227ebb216e874a749f424bf5b87528115ed7Dan Cashmanneverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call; 111