diff options
| author | alk3pInjection <webmaster@raspii.tech> | 2022-05-01 21:36:16 +0800 |
|---|---|---|
| committer | alk3pInjection <webmaster@raspii.tech> | 2022-05-01 21:36:16 +0800 |
| commit | 329b113bc1329f83fe1eecd32213435f8885ca71 (patch) | |
| tree | af249b7fce9300b5248cbffe94a08d48fb919f73 /prebuilts/api/32.0/private/network_stack.te | |
| parent | 18c07b58901c9d0e7fc0d908ed38146847bab5b3 (diff) | |
| parent | d7b93dbd049c0eacfb7ad14677457836c79b38f6 (diff) | |
Merge tag 'LA.QSSI.12.0.r1-06800-qssi.0' into sugisawa-mr1HEADsugisawa-mr1
"LA.QSSI.12.0.r1-06800-qssi.0"
Change-Id: I35dbb71151ce8b3bf68b425732a761532c638017
Diffstat (limited to 'prebuilts/api/32.0/private/network_stack.te')
| -rw-r--r-- | prebuilts/api/32.0/private/network_stack.te | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/network_stack.te b/prebuilts/api/32.0/private/network_stack.te new file mode 100644 index 000000000..09a98b534 --- /dev/null +++ b/prebuilts/api/32.0/private/network_stack.te @@ -0,0 +1,62 @@ +# Networking service app +typeattribute network_stack coredomain, mlstrustedsubject; + +app_domain(network_stack); +net_domain(network_stack); + +allow network_stack self:global_capability_class_set { + net_admin + net_bind_service + net_broadcast + net_raw +}; + +# Allow access to net_admin ioctl, DHCP server uses SIOCSARP +allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls; + +# The DhcpClient uses packet_sockets +allow network_stack self:packet_socket create_socket_perms_no_ioctl; + +# Monitor neighbors via netlink. +allow network_stack self:netlink_route_socket nlmsg_write; + +allow network_stack app_api_service:service_manager find; +allow network_stack dnsresolver_service:service_manager find; +allow network_stack netd_service:service_manager find; +allow network_stack network_watchlist_service:service_manager find; +allow network_stack radio_service:service_manager find; +allow network_stack system_config_service:service_manager find; +allow network_stack radio_data_file:dir create_dir_perms; +allow network_stack radio_data_file:file create_file_perms; + +binder_call(network_stack, netd); + +# in order to invoke side effect of close() on such a socket calling synchronize_rcu() +# TODO: Remove this permission when 4.9 kernel is deprecated. +allow network_stack self:key_socket create; +# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 +# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... +dontaudit network_stack self:key_socket getopt; + +# Grant read permission of connectivity namespace system property prefix. +get_prop(network_stack, device_config_connectivity_prop) + +# Create/use netlink_tcpdiag_socket to get tcp info +allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +############### Tethering Service app - Tethering.apk ############## +hal_client_domain(network_stack, hal_tetheroffload) +# Create and share netlink_netfilter_sockets for tetheroffload. +allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl; +allow network_stack network_stack_service:service_manager find; +# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF. +allow network_stack { fs_bpf fs_bpf_tethering }:dir search; +allow network_stack { fs_bpf fs_bpf_tethering }:file { read write }; +allow network_stack bpfloader:bpf { map_read map_write prog_run }; + +# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps. +# Unfortunately init/vendor_init have all sorts of extra privs +neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr; +neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *; + +neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr }; +neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr }; |