diff options
Diffstat (limited to 'prebuilts/api/32.0/public/netd.te')
| -rw-r--r-- | prebuilts/api/32.0/public/netd.te | 176 |
1 files changed, 176 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/public/netd.te b/prebuilts/api/32.0/public/netd.te new file mode 100644 index 000000000..ff0bff6c9 --- /dev/null +++ b/prebuilts/api/32.0/public/netd.te @@ -0,0 +1,176 @@ +# network manager +type netd, domain, mlstrustedsubject; +type netd_exec, system_file_type, exec_type, file_type; + +net_domain(netd) +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. +allowxperm netd self:udp_socket ioctl priv_sock_ioctls; + +r_dir_file(netd, cgroup) + +allow netd system_server:fd use; + +allow netd self:global_capability_class_set { net_admin net_raw kill }; +# Note: fsetid is deliberately not included above. fsetid checks are +# triggered by chmod on a directory or file owned by a group other +# than one of the groups assigned to the current process to see if +# the setgid bit should be cleared, regardless of whether the setgid +# bit was even set. We do not appear to truly need this capability +# for netd to operate. +dontaudit netd self:global_capability_class_set fsetid; + +# Allow netd to open /dev/tun, set it up and pass it to clatd +allow netd tun_device:chr_file rw_file_perms; +allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; +allow netd self:tun_socket create; + +allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow netd self:netlink_route_socket nlmsg_write; +allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl; +allow netd self:netlink_socket create_socket_perms_no_ioctl; +allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netd self:netlink_generic_socket create_socket_perms_no_ioctl; +allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl; +allow netd shell_exec:file rx_file_perms; +allow netd system_file:file x_file_perms; +not_full_treble(`allow netd vendor_file:file x_file_perms;') +allow netd devpts:chr_file rw_file_perms; + +# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't +# exist, suppress the denial. +allow netd system_file:file lock; +dontaudit netd system_file:dir write; + +# Allow netd to write to qtaguid ctrl file. +# TODO: Add proper rules to prevent other process to access qtaguid_proc file +# after migration complete +allow netd proc_qtaguid_ctrl:file rw_file_perms; +# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. +allow netd qtaguid_device:chr_file r_file_perms; + +r_dir_file(netd, proc_net_type) +# For /proc/sys/net/ipv[46]/route/flush. +allow netd proc_net_type:file rw_file_perms; + +# Enables PppController and interface enumeration (among others) +allow netd sysfs:dir r_dir_perms; +r_dir_file(netd, sysfs_net) + +# Allows setting interface MTU +allow netd sysfs_net:file w_file_perms; + +# TODO: added to match above sysfs rule. Remove me? +allow netd sysfs_usb:file write; + +r_dir_file(netd, cgroup_v2) + +allow netd fs_bpf:dir search; +allow netd fs_bpf:file { read write }; + +# TODO: netd previously thought it needed these permissions to do WiFi related +# work. However, after all the WiFi stuff is gone, we still need them. +# Why? +allow netd self:global_capability_class_set { dac_override dac_read_search chown }; + +# Needed to update /data/misc/net/rt_tables +allow netd net_data_file:file create_file_perms; +allow netd net_data_file:dir rw_dir_perms; +allow netd self:global_capability_class_set fowner; + +# Needed to lock the iptables lock. +allow netd system_file:file lock; + +# Allow netd to spawn dnsmasq in it's own domain +allow netd dnsmasq:process signal; + +# Allow netd to publish a binder service and make binder calls. +binder_use(netd) +add_service(netd, netd_service) +add_service(netd, dnsresolver_service) +allow netd dumpstate:fifo_file { getattr write }; + +# Allow netd to call into the system server so it can check permissions. +allow netd system_server:binder call; +allow netd permission_service:service_manager find; + +# Allow netd to talk to the framework service which collects netd events. +allow netd netd_listener_service:service_manager find; + +# Allow netd to operate on sockets that are passed to it. +allow netd netdomain:{ + icmp_socket + tcp_socket + udp_socket + rawip_socket + tun_socket +} { read write getattr setattr getopt setopt }; +allow netd netdomain:fd use; + +# give netd permission to read and write netlink xfrm +allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; + +# Allow netd to register as hal server. +add_hwservice(netd, system_net_netd_hwservice) +hwbinder_use(netd) + +### +### Neverallow rules +### +### netd should NEVER do any of this + +# Block device access. +neverallow netd dev_type:blk_file { read write }; + +# ptrace any other app +neverallow netd { domain }:process ptrace; + +# Write to /system. +neverallow netd system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write; + +# only system_server, dumpstate and network stack app may find netd service +neverallow { + domain + -system_server + -dumpstate + -network_stack + -netd + -netutils_wrapper +} netd_service:service_manager find; + +# only system_server, dumpstate and network stack app may find dnsresolver service +neverallow { + domain + -system_server + -dumpstate + -network_stack + -netd + -netutils_wrapper +} dnsresolver_service:service_manager find; + +# apps may not interact with netd over binder. +neverallow { appdomain -network_stack } netd:binder call; +neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call; + +# If an already existing file is opened with O_CREATE, the kernel might generate +# a false report of a create denial. Silence these denials and make sure that +# inappropriate permissions are not granted. +neverallow netd proc_net:dir no_w_dir_perms; +dontaudit netd proc_net:dir write; + +neverallow netd sysfs_net:dir no_w_dir_perms; +dontaudit netd sysfs_net:dir write; + +# Netd should not have SYS_ADMIN privs. +neverallow netd self:capability sys_admin; +dontaudit netd self:capability sys_admin; + +# Netd should not have SYS_MODULE privs, nor should it be requesting module loads +# (things it requires should be built directly into the kernel) +dontaudit netd self:capability sys_module; + +dontaudit netd kernel:system module_request; + +dontaudit netd appdomain:unix_stream_socket { read write }; |