PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4ea5709bc4
android_system_sepolicy/public/netd.te

186 lines
6.5 KiB
Plaintext
Raw Normal View History

SE Android policy.
2012-01-04 09:33:27 -08:00
# network manager
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:19:03 -07:00
type netd, domain, mlstrustedsubject;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 10:21:37 -07:00
type netd_exec, system_file_type, exec_type, file_type;
SE Android policy.
2012-01-04 09:33:27 -08:00
put netd into net_domain This addresses the review comments from https://android-review.googlesource.com/#/c/69855/ Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f
2013-12-15 19:04:09 -08:00
net_domain(netd)
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
put netd into net_domain This addresses the review comments from https://android-review.googlesource.com/#/c/69855/ Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f
2013-12-15 19:04:09 -08:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(netd, cgroup)
Add sepolicy to lock down bpf access Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-02 15:31:18 -08:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow netd system_server:fd use;
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow netd self:global_capability_class_set { net_admin net_raw kill };
Remove fsetid from netd. fsetid checks are triggered by chmod on a directory or file owned by a group other than one of the groups assigned to the current process to see if the setgid bit should be cleared, regardless of whether the setgid bit was even set. We do not appear to truly need this capability for netd to operate, so remove it. Potential dontaudit candidate. Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 10:00:59 -08:00
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
netd dontaudit fsetid For the reasons explained in the pre-existing code, we don't want to grant fsetid to netd, nor do we want denial messages to be generated. Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
2015-04-02 15:36:51 -07:00
# for netd to operate.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
dontaudit netd self:global_capability_class_set fsetid;
Remove fsetid from netd. fsetid checks are triggered by chmod on a directory or file owned by a group other than one of the groups assigned to the current process to see if the setgid bit should be cleared, regardless of whether the setgid bit was even set. We do not appear to truly need this capability for netd to operate, so remove it. Potential dontaudit candidate. Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 10:00:59 -08:00
selinux - allow netd to create tun device and pass it in via open fd across execve to clatd cli This is needed to resolve some race conditions between clatd startup and interface naming/numbering. This resolves: type=1400 audit(): avc: denied { read write } for comm="Binder:820_4" name="tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file type=1400 audit(): avc: denied { open } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file type=1400 audit(): avc: denied { ioctl } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 ioctlcmd=0x54ca scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file type=1400 audit(): avc: denied { create } for comm="Binder:820_4" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tun_socket Test: built/installed on crosshatch with netd->clatd tunfd passing and observed no selinux denials Bug: 65674744 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
2019-04-08 21:18:50 -07:00
# Allow netd to open /dev/tun, set it up and pass it to clatd
allow netd tun_device:chr_file rw_file_perms;
allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
allow netd self:tun_socket create;
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 12:06:11 -08:00
allow netd self:netlink_route_socket nlmsg_write;
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow netd self:netlink_socket create_socket_perms_no_ioctl;
allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
restore permissions to /vendor for non-treble devices Relabeling /vendor and /system/vendor to vendor_file removed previously granted permissions. Restore these for non-treble devices. Addresses: avc: denied { execute_no_trans } for pid=2944 comm="dumpstate" path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0 tclass=file And potentially some other bugs that have yet to surface. Bug: 37105075 Test: build Fugu Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
2017-04-13 21:58:12 -07:00
not_full_treble(`allow netd vendor_file:file x_file_perms;')
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
allow netd devpts:chr_file rw_file_perms;
Fix lock logspam and remove domain_deprecated rule Remove system_file:file { lock ioctl } from domain_deprecated. The only domains triggering this were dex2oat and netd, which are fixed in this change. Addresses the following logspam similar to: avc: granted { lock } for comm="iptables" path="/system/etc/xtables.lock" dev="sda22" ino=3745 scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file avc: granted { lock } for comm="dex2oat" path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295 scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file Test: device boots and no obvious problems. Bug: 28760354 Bug: 36879751 Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
2017-04-04 18:34:52 -07:00
# Acquire advisory lock on /system/etc/xtables.lock
allow netd system_file:file lock;
Rename qtaguid_proc to conform to name conventions Test: build Bug: 68774956 Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250
2018-04-03 09:53:23 -07:00
# Allow netd to write to qtaguid ctrl file.
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
# after migration complete
allow netd proc_qtaguid_ctrl:file rw_file_perms;
Allow netd to read the /dev/xt_qtaguid After move qtaguid control interface into netd. Netd need to open the xt_qtaguid resource tracking misc dev to make sure xt_qtaguid module is successfully initialized before taking action. This selinux rule change allows netd to do so and it is the same privilege normal apps currently have. Test: No more selinux denials on netd access qtaguid_device Bug: 30950746 Change-Id: I79a98bbda3f3fdb85140a06a7532cdcc4354c518
2017-11-15 11:18:44 -08:00
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file r_file_perms;
sepolicy: allow netd to write to qtaguid file Since all qtaguid related userspace implementation are moved into netd and will use netd to choose which module to run at run time. Netd module should be the only process can directly read/write to the ctrl file of qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant netd the privilege to access qtaguid proc files. It also grant netd the permission to control trigger to turn on and off qtaguid module by write parameters to files under sys_fs. The file and directory related is properly labled. Bug: 68774956 Bug: 30950746 Test: qtaguid function still working after the native function is redirected. Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b
2017-10-24 14:40:53 -07:00
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 12:47:48 -07:00
r_dir_file(netd, proc_net_type)
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
# For /proc/sys/net/ipv[46]/route/flush.
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 12:47:48 -07:00
allow netd proc_net_type:file rw_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
Define explicit label for wlan sysfs fwpath avc: denied { write } for name="fwpath" dev="sysfs" ino=6863 scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 Test: wificond and netd can write to this path, wifi works Test: `runtest frameworks-wifi` passes Bug: 29579539 Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994 (cherry picked from commit 7d13dd806f37523ba8164325fef9b000d6eacd7c)
2016-06-30 14:23:12 -07:00
# Enables PppController and interface enumeration (among others)
Restrict netd fwk policy. Remove netd access to sysfs_type attribute. These were moved from vendor to fwk policy: 1. sysfs_net type declaration 2. labeling of /sys/devices/virtual/net with sysfs_net 3. netd access to sysfs_net Bug: 65643247 Test: can browse internet without netd denials Test: netd_unit_test, netd_integration_test without netd denials Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e (cherry picked from commit e62a56b717acbf0f2152fd92f839953395b741a3)
2017-10-01 15:53:01 -07:00
allow netd sysfs:dir r_dir_perms;
r_dir_file(netd, sysfs_net)
Define explicit label for wlan sysfs fwpath avc: denied { write } for name="fwpath" dev="sysfs" ino=6863 scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 Test: wificond and netd can write to this path, wifi works Test: `runtest frameworks-wifi` passes Bug: 29579539 Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994 (cherry picked from commit 7d13dd806f37523ba8164325fef9b000d6eacd7c)
2016-06-30 14:23:12 -07:00
# Allows setting interface MTU
Restrict netd fwk policy. Remove netd access to sysfs_type attribute. These were moved from vendor to fwk policy: 1. sysfs_net type declaration 2. labeling of /sys/devices/virtual/net with sysfs_net 3. netd access to sysfs_net Bug: 65643247 Test: can browse internet without netd denials Test: netd_unit_test, netd_integration_test without netd denials Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e (cherry picked from commit e62a56b717acbf0f2152fd92f839953395b741a3)
2017-10-01 15:53:01 -07:00
allow netd sysfs_net:file w_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
Keep pre-existing sysfs write permissions. Commit: b144ebab482891cef32ee84c06dbb0f943823573 added the sysfs_usb type and granted the read perms globally, but did not add write permissions for all domains that previously had them. Add the ability to write to sysfs_usb for all domains that had the ability to write to those files previously (sysfs). Address denials such as: type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0 Bug: 28417852 Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
2016-06-14 13:41:47 -07:00
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
Use bpfloader to create bpf maps instead of netd Recent change in netd and bpfloader switched the creater of bpf maps from netd to bpfloader. Change the rules related to it to make sure it doesn't fail. Test: dumpsys netd trafficcontroller Bug: 112334572 Change-Id: I016ff68b58ef7b12bdfdebc2fd178be1d0206a62
2018-12-04 17:57:27 -08:00
r_dir_file(netd, cgroup_bpf)
selinux - netd - tighten down bpf policy bpf programs/maps are now loaded by the bpfloader, not netd Test: built/installed on crosshatch which uses eBPF - no avc denials Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
2019-04-08 21:34:53 -07:00
allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write setattr };
sepolicy: Allow mount cgroupv2 and bpf fs Some necessary sepolicy rule changes for init process to create directory, mount cgroupv2 module and mount bpf filesystem. Also allow netd to create and pin bpf object as files and read it back from file under the directory where bpf filesystem is mounted. Test: bpf maps show up under /sys/fs/bpf/ Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
2017-08-01 18:06:18 -07:00
Remove WiFi permissions from netd Bug: 30041228 Test: WiFi tethering, client mode continues to function Change-Id: I95a583ad4d57642f4731e415abb77732df5289ac (cherry picked from commit fb5b13ee31e8fb224608b521fe337458be838b02)
2016-07-22 16:34:08 -07:00
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-06 15:19:40 -07:00
allow netd self:global_capability_class_set { dac_override dac_read_search chown };
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
Allow netd to create data files in /data/misc/net/. This will be used to populate rt_tables (a mapping from routing table numbers to table names) that's read by the iproute2 utilities. Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-07 22:04:57 -07:00
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow netd self:global_capability_class_set fowner;
Allow netd to create data files in /data/misc/net/. This will be used to populate rt_tables (a mapping from routing table numbers to table names) that's read by the iproute2 utilities. Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-07 22:04:57 -07:00
Explicitly allow netd to take the iptables lock. This was previously relying on domain_deprecated rules deleted in change I588a1e7ea7ef984907b79a5a391efb2dcd6e6431. Bug: 28760354 Test: unbreaks networking on AOSP bullhead Change-Id: I873e1f08f72104dee7509e45b1db0b284ca56085
2017-07-16 01:48:39 -07:00
# Needed to lock the iptables lock.
allow netd system_file:file lock;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-04 18:22:45 -07:00
set_prop(netd, ctl_mdnsd_prop)
Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret." This change must only be submitted when device-specific policies have been reverted. This reverts commit 07e631d2e0a01226ea83e517305d1eceb1b1a158. Bug: 17613910 Test: builds Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
2017-07-10 17:43:19 -07:00
set_prop(netd, netd_stable_secret_prop)
remove "self:process ptrace" from domain, netd neverallow rules Remove "self:process ptrace" from all SELinux enforced domains. In general, a process should never need to ptrace itself. We can add this back to more narrowly scoped domains as needed. Add a bunch of neverallow assertions to netd.te, to verify that netd never gets unexpected capabilities. Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
2016-02-18 06:55:51 -08:00
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
te_macros: introduce add_service() macro Introduce the add_service() macro which wraps up add/find permissions for the source domain with a neverallow preventing others from adding it. Only a particular domain should add a particular service. Use the add_service() macro to automatically add a neverallow that prevents other domains from adding the service. mediadrmserver was adding services labeled mediaserver_service. Drop the add permission as it should just need the find permission. Additionally, the macro adds the { add find } permission which causes some existing neverallow's to assert. Adjust those neverallow's so "self" can always find. Test: compile and run on hikey and emulator. No new denials were found, and all services, where applicable, seem to be running OK. Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-19 13:23:52 -08:00
add_service(netd, netd_service)
Add sepolicy for resolver service Bug: 126141549 Test: built, flashed, booted Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-02-25 04:12:15 -08:00
add_service(netd, dnsresolver_service)
Allow bugreports to dump the native netd service state. Bug: 28251026 Change-Id: I73dce178b873d45e703896f12c10325af2ade81d
2016-04-18 16:05:44 -07:00
allow netd dumpstate:fifo_file { getattr write };
Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
2016-02-18 06:55:51 -08:00
# Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call;
Allow netd to check permissions. Bug: 27239233 Change-Id: I82e3451542f08de67ad950223be90e37a2d3e899
2016-03-02 05:55:17 -08:00
allow netd permission_service:service_manager find;
Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
2016-02-18 06:55:51 -08:00
Change name in the rules after renaming dns_listener -> netd_listener Change-Id: I4737a087f2d00e1028d1cb43d9eda814a008dbe8
2016-09-01 02:08:57 -07:00
# Allow netd to talk to the framework service which collects netd events.
allow netd netd_listener_service:service_manager find;
selinux changes for DNS metrics. 1. Allow the system server to create the dns_listener service. 2. Allow netd to use said service. Change-Id: Ic6394d7b2bdebf1c4d6cf70a79754a4996e943e2
2016-04-13 08:14:58 -07:00
Introduce fwmarkd: a service to set the fwmark of sockets. (cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907) Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-01 11:12:10 -07:00
# Allow netd to operate on sockets that are passed to it.
netd.te: drop dccp_socket support No SELinux domains can create dccp_socket instances, so it doesn't make any sense to allow netd to minipulate already-open dccp sockets. Bug: 35784697 Test: policy compiles. Change-Id: I189844462cbab58ed58c24fbad6a392f6b035815
2017-02-27 09:21:11 -08:00
allow netd netdomain:{
public/netd.te: allow netd to operate icmp_socket that passed to it This should be supplement for the change here: https://android-review.googlesource.com/c/platform/system/sepolicy/+/708638 When test the cts libcore.libcore.io.OsTest#test_socketPing test case, it will fail with avc denial message like following: [ 1906.617027] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1 [ 1906.617189] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1 [ 1906.617206] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1 [ 1906.617313] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1 [ 1906.617330] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1 [ 1907.832425] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1 Test: run cts -m CtsLibcoreTestCases -t libcore.libcore.io.OsTest#test_socketPing Change-Id: If41cb804292834b8994333f170d1f7f837bcd7df Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2018-07-02 03:34:18 -07:00
icmp_socket
netd.te: drop dccp_socket support No SELinux domains can create dccp_socket instances, so it doesn't make any sense to allow netd to minipulate already-open dccp sockets. Bug: 35784697 Test: policy compiles. Change-Id: I189844462cbab58ed58c24fbad6a392f6b035815
2017-02-27 09:21:11 -08:00
tcp_socket
udp_socket
rawip_socket
tun_socket
} { read write getattr setattr getopt setopt };
Introduce fwmarkd: a service to set the fwmark of sockets. (cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907) Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-01 11:12:10 -07:00
allow netd netdomain:fd use;
Update Common NetD SEPolicy to allow Netlink XFRM In order to perform XFRM operations NetD needs the ability to both read and write Netlink XFRM messages. Bug: 34811756 Test: 34812052 Change-Id: I26831c58b24a4c1f344b113f0b5cf47ed2c93fee (cherry picked from commit 7eb3dd3b02693852d6dee1e8e1135d3d9b201b86)
2017-03-01 20:29:21 -08:00
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
get_prop(netd, hwservicemanager_prop)
SEPolicy updates for adding native flag namespace(netd). For experiment flag testing, we add a flag netd and have SEPolicy updates. Test: add sepolicy, m -j, check GetServerConfigurableFlag function in netd Bug:122050512 Change-Id: I21c844c277afc358085d80447f16e4c0d4eba5b3
2018-12-27 02:01:25 -08:00
get_prop(netd, device_config_netd_native_prop)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
remove "self:process ptrace" from domain, netd neverallow rules Remove "self:process ptrace" from all SELinux enforced domains. In general, a process should never need to ptrace itself. We can add this back to more narrowly scoped domains as needed. Add a bunch of neverallow assertions to netd.te, to verify that netd never gets unexpected capabilities. Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
###
### Neverallow rules
###
### netd should NEVER do any of this
# Block device access.
neverallow netd dev_type:blk_file { read write };
# ptrace any other app
neverallow netd { domain }:process ptrace;
# Write to /system.
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 15:54:23 -07:00
neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
Revert "Revert "netd: restrict netd binder access to system_server"" This reverts commit b5594c2781c1bd03a083c77164f0809ed4a69422. Bug: 27239233 Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2
2016-03-02 05:57:34 -08:00
sepolicy changes for network stack app The networking stack app hosts services that used to be in the system server (IpClient, NetworkMonitor for now), but in a different process to be packaged as a mainline module. Test: booted, verified networking stack working when in app Change-Id: I300a556f51b35c17378af961cea1ec937444e597
2018-11-14 00:07:41 -08:00
# only system_server, dumpstate and network stack app may find netd service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
Sepolicy for netutils_wrapper to use binder call Bug: 65862741 Test: built, flashed, booted Change-Id: I346520c47b74fde5137ad7c777f0a9eca50a06d7
2019-03-19 00:07:00 -07:00
-netutils_wrapper
sepolicy changes for network stack app The networking stack app hosts services that used to be in the system server (IpClient, NetworkMonitor for now), but in a different process to be packaged as a mainline module. Test: booted, verified networking stack working when in app Change-Id: I300a556f51b35c17378af961cea1ec937444e597
2018-11-14 00:07:41 -08:00
} netd_service:service_manager find;
netd: relax binder neverallow rules for hwservices Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
2017-07-26 12:53:21 -07:00
Add sepolicy for resolver service Bug: 126141549 Test: built, flashed, booted Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-02-25 04:12:15 -08:00
# only system_server, dumpstate and network stack app may find dnsresolver service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
Sepolicy for netutils_wrapper to use binder call Bug: 65862741 Test: built, flashed, booted Change-Id: I346520c47b74fde5137ad7c777f0a9eca50a06d7
2019-03-19 00:07:00 -07:00
-netutils_wrapper
Add sepolicy for resolver service Bug: 126141549 Test: built, flashed, booted Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
2019-02-25 04:12:15 -08:00
} dnsresolver_service:service_manager find;
netd: relax binder neverallow rules for hwservices Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
2017-07-26 12:53:21 -07:00
# apps may not interact with netd over binder.
wifi_stack: Move to network_stack process The wifi stack APK will run inside the network_stack process. So, move the sepolicy rules for wifi stack inside the network stack rules. Bug: 135691051 Test: Manual tests - manual connect to wifi networks - Remove networks Test: Will send for ACTS wifi regression testing Change-Id: I9d5da80852f22fa1d12b2dbbc76b9e06c1275310 (cherry-picked from b83abf7af3df64e0d3c1b22548f2344b55aece28)
2019-10-01 13:49:21 -07:00
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret." This change must only be submitted when device-specific policies have been reverted. This reverts commit 07e631d2e0a01226ea83e517305d1eceb1b1a158. Bug: 17613910 Test: builds Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
2017-07-10 17:43:19 -07:00
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
Allow dumpstate to read property_type dumpstate needs to read all the system properties for debugging. Bug: 77277669 Test: succeeded building and tested with taimen Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
2018-04-05 11:32:58 -07:00
neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret." This change must only be submitted when device-specific policies have been reverted. This reverts commit 07e631d2e0a01226ea83e517305d1eceb1b1a158. Bug: 17613910 Test: builds Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
2017-07-10 17:43:19 -07:00
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
netd: silence innocuous denials to /proc and /sys Bug: 74586749 Test: build policy Change-Id: I72a3b7c38eb9030ffac0d2dde23a9ff7c26fd70a
2018-03-16 16:08:31 -07:00
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
neverallow netd proc_net:dir no_w_dir_perms;
dontaudit netd proc_net:dir write;
neverallow netd sysfs_net:dir no_w_dir_perms;
dontaudit netd sysfs_net:dir write;
netd does not require and should not have SYS_ADMIN nor module loading privs This is pulling in: dontaudit netd self:capability sys_module; dontaudit netd kernel:system module_request; from: https://android-review.googlesource.com/c/device/amlogic/yukawa/+/1217396 //device/amlogic/yukawa/sepolicy/netd.te https://android-review.googlesource.com/c/device/generic/goldfish/+/1217397 //device/generic/goldfish/sepolicy/common/netd.te https://android-review.googlesource.com/c/device/google/bonito-sepolicy/+/1217435 //device/google/bonito-sepolicy/vendor/qcom/common/netd.te https://android-review.googlesource.com/c/device/google/crosshatch-sepolicy/+/1217398 //device/google/crosshatch-sepolicy/vendor/qcom/common/netd.te https://android-review.googlesource.com/c/device/google/wahoo/+/1217436 //device/google/wahoo/sepolicy/vendor/netd.te https://android-review.googlesource.com/c/device/linaro/hikey/+/1217455 //device/linaro/hikey/sepolicy/netd.te https://android-review.googlesource.com/c/device/ti/beagle-x15/+/1217475 //device/ti/beagle-x15/sepolicy/netd.te Test: builds Signed-off-by: Maciej Żenczykowski Change-Id: Idff03782133691ff43e49cb04544e5d1b1be922f
2020-01-24 04:50:04 -08:00
# Netd should not have SYS_ADMIN privs.
neverallow netd self:capability sys_admin;
dontaudit netd self:capability sys_admin;
# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
dontaudit netd kernel:system module_request;
Reference in New Issue Copy Permalink