android_system_sepolicy/public/dnsmasq.te

# DNS, DHCP services
type dnsmasq, domain;
type dnsmasq_exec, system_file_type, exec_type, file_type;

net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;

# TODO:  Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };

allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };

allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;

# Inherit and use open files from netd.
allow dnsmasq netd:fd use;
allow dnsmasq netd:fifo_file { getattr read write };
# TODO: Investigate whether these inherited sockets should be closed on exec.
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
allow dnsmasq netd:netlink_nflog_socket { read write };
allow dnsmasq netd:netlink_route_socket { read write };
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };

# sometimes a network device vanishes and we try to load module netdev-{devicename}
dontaudit dnsmasq kernel:system module_request;
Make dnsmasq permissive or unconfined. Also add rules from our policy. Change-Id: I86f07f54c5120c511f9cab2877cf765c3ae7c1a8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 11:42:35 -07:00			`# DNS, DHCP services`
remove more domain_deprecated Test: no denials showing up in log collection Test: device boots Bug: 28760354 Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23 2016-12-09 19:30:39 -08:00			`type dnsmasq, domain;`
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 2018-09-27 10:21:37 -07:00			`type dnsmasq_exec, system_file_type, exec_type, file_type;`
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0 2013-06-27 15:11:02 -07:00
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 12:06:11 -08:00			`net_domain(dnsmasq)`
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe 2016-05-16 21:12:17 -07:00			`allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;`
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 12:06:11 -08:00
Allow dnsmasq dac_override capability. dnsmasq presently requires dac_override to create files under /data/misc/dhcp. Until it can be changed to run with group dhcp, allow dac_override. Addresses denials such as: avc: denied { dac_override } for pid=21166 comm="dnsmasq" capability=1 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-12 12:12:52 -07:00			`# TODO: Run with dhcp group to avoid need for dac_override.`
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4 2018-09-06 15:19:40 -07:00			`allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };`
Allow dnsmasq dac_override capability. dnsmasq presently requires dac_override to create files under /data/misc/dhcp. Until it can be changed to run with group dhcp, allow dac_override. Addresses denials such as: avc: denied { dac_override } for pid=21166 comm="dnsmasq" capability=1 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-12 12:12:52 -07:00
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 14:51:26 -08:00			`allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };`
Make dnsmasq permissive or unconfined. Also add rules from our policy. Change-Id: I86f07f54c5120c511f9cab2877cf765c3ae7c1a8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 11:42:35 -07:00
			`allow dnsmasq dhcp_data_file:dir w_dir_perms;`
			`allow dnsmasq dhcp_data_file:file create_file_perms;`
Address dnsmasq denials. Address dnsmasq denials such as: avc: denied { use } for pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fd avc: denied { read } for pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file avc: denied { read write } for pid=9145 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket avc: denied { read write } for pid=9145 comm="dnsmasq" path="socket:[8221]" dev="sockfs" ino=8221 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket avc: denied { read write } for pid=9523 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket avc: denied { read write } for pid=9523 comm="dnsmasq" path="socket:[7862]" dev="sockfs" ino=7862 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket avc: denied { net_raw } for pid=9607 comm="dnsmasq" capability=13 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability avc: denied { net_admin } for pid=9607 comm="dnsmasq" capability=12 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability Change-Id: I2bd1eaf22879f09df76a073028cc282362eebeee Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-07 11:46:38 -08:00
			`# Inherit and use open files from netd.`
			`allow dnsmasq netd:fd use;`
selinux - allow dnsmasq to getattr on fifos This is presumably libc isatty detection on stdin/out/err. Either way - allowing it is harmless. This fixes: type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0 Test: built and observed no more avc denials on crosshatch Bug: 77868789 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4 2019-04-08 21:16:28 -07:00			`allow dnsmasq netd:fifo_file { getattr read write };`
Address dnsmasq denials. Address dnsmasq denials such as: avc: denied { use } for pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fd avc: denied { read } for pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file avc: denied { read write } for pid=9145 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket avc: denied { read write } for pid=9145 comm="dnsmasq" path="socket:[8221]" dev="sockfs" ino=8221 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket avc: denied { read write } for pid=9523 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket avc: denied { read write } for pid=9523 comm="dnsmasq" path="socket:[7862]" dev="sockfs" ino=7862 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket avc: denied { net_raw } for pid=9607 comm="dnsmasq" capability=13 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability avc: denied { net_admin } for pid=9607 comm="dnsmasq" capability=12 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability Change-Id: I2bd1eaf22879f09df76a073028cc282362eebeee Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-07 11:46:38 -08:00			`# TODO: Investigate whether these inherited sockets should be closed on exec.`
			`allow dnsmasq netd:netlink_kobject_uevent_socket { read write };`
			`allow dnsmasq netd:netlink_nflog_socket { read write };`
			`allow dnsmasq netd:netlink_route_socket { read write };`
dnsmasq - allow getattr on unix stream sockets Fix for: type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="socket:[25224]" dev="sockfs" ino=25224 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket permissive=0 b/77868789 Test: built and observed no more avc denials on aosp blueline Bug: 77868789 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I5af4d01e17f2d37335f523a49c7b1f81886edfa2 2019-05-02 15:12:19 -07:00			`allow dnsmasq netd:unix_stream_socket { getattr read write };`
Allow netd-spawned domains to use inherited netd unix_dgram_socket. Resolves denials such as: avc: denied { read write } for pid=4346 comm="hostapd" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:hostapd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket avc: denied { read write } for pid=4348 comm="dnsmasq" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket Change-Id: Ie82f39c32c6e04bc9ef1369ca787cf80b3b4141c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-18 07:45:15 -07:00			`allow dnsmasq netd:unix_dgram_socket { read write };`
Allow dnsmasq to inherit/use netd UDP socket. Addresses denials such as: avc: denied { read write } for comm="dnsmasq" path="socket:[1054090]" dev="sockfs" ino=1054090 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=udp_socket This may not be needed (need to check netd to see if it should be closing all of these sockets before exec'ing other programs), but should be harmless. Change-Id: I77c7af5e050e039fd48322914eeabbcb8a716040 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-06-11 06:05:32 -07:00			`allow dnsmasq netd:udp_socket { read write };`
add dontaudit dnsmasq kernel:system module_request This was originally added due to: avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 in wahoo specific selinux policy in commit cd761300c1cc67cb2be3e001b95317e8a865c5fe 'Allow some denials we have seen.' This is most likely simply triggered by a race condition on attempting to access a non existent network device 'bt-pan'. While we've never seen this anywhere else, it could potentially happen on any device so we might as well make this global... Test: N/A Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I00f61a5fc2bfce604badf3b96f6ed808157eb78c 2020-01-18 18:22:03 -08:00
			`# sometimes a network device vanishes and we try to load module netdev-{devicename}`
			`dontaudit dnsmasq kernel:system module_request;`