PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c411ff70d3
android_system_sepolicy/public/netd.te

158 lines
5.8 KiB
Plaintext
Raw Normal View History

SE Android policy.
2012-01-04 09:33:27 -08:00
# network manager
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:19:03 -07:00
type netd, domain, mlstrustedsubject;
SE Android policy.
2012-01-04 09:33:27 -08:00
type netd_exec, exec_type, file_type;
put netd into net_domain This addresses the review comments from https://android-review.googlesource.com/#/c/69855/ Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f
2013-12-15 19:04:09 -08:00
net_domain(netd)
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
put netd into net_domain This addresses the review comments from https://android-review.googlesource.com/#/c/69855/ Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f
2013-12-15 19:04:09 -08:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(netd, cgroup)
Add sepolicy to lock down bpf access Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-02 15:31:18 -08:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow netd system_server:fd use;
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow netd self:global_capability_class_set { net_admin net_raw kill };
Remove fsetid from netd. fsetid checks are triggered by chmod on a directory or file owned by a group other than one of the groups assigned to the current process to see if the setgid bit should be cleared, regardless of whether the setgid bit was even set. We do not appear to truly need this capability for netd to operate, so remove it. Potential dontaudit candidate. Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 10:00:59 -08:00
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
netd dontaudit fsetid For the reasons explained in the pre-existing code, we don't want to grant fsetid to netd, nor do we want denial messages to be generated. Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
2015-04-02 15:36:51 -07:00
# for netd to operate.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
dontaudit netd self:global_capability_class_set fsetid;
Remove fsetid from netd. fsetid checks are triggered by chmod on a directory or file owned by a group other than one of the groups assigned to the current process to see if the setgid bit should be cleared, regardless of whether the setgid bit was even set. We do not appear to truly need this capability for netd to operate, so remove it. Potential dontaudit candidate. Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 10:00:59 -08:00
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 12:06:11 -08:00
allow netd self:netlink_route_socket nlmsg_write;
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
allow netd self:netlink_socket create_socket_perms_no_ioctl;
allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
restore permissions to /vendor for non-treble devices Relabeling /vendor and /system/vendor to vendor_file removed previously granted permissions. Restore these for non-treble devices. Addresses: avc: denied { execute_no_trans } for pid=2944 comm="dumpstate" path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0 tclass=file And potentially some other bugs that have yet to surface. Bug: 37105075 Test: build Fugu Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
2017-04-13 21:58:12 -07:00
not_full_treble(`allow netd vendor_file:file x_file_perms;')
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
allow netd devpts:chr_file rw_file_perms;
Fix lock logspam and remove domain_deprecated rule Remove system_file:file { lock ioctl } from domain_deprecated. The only domains triggering this were dex2oat and netd, which are fixed in this change. Addresses the following logspam similar to: avc: granted { lock } for comm="iptables" path="/system/etc/xtables.lock" dev="sda22" ino=3745 scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file avc: granted { lock } for comm="dex2oat" path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295 scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file Test: device boots and no obvious problems. Bug: 28760354 Bug: 36879751 Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
2017-04-04 18:34:52 -07:00
# Acquire advisory lock on /system/etc/xtables.lock
allow netd system_file:file lock;
sepolicy: allow netd to write to qtaguid file Since all qtaguid related userspace implementation are moved into netd and will use netd to choose which module to run at run time. Netd module should be the only process can directly read/write to the ctrl file of qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant netd the privilege to access qtaguid proc files. It also grant netd the permission to control trigger to turn on and off qtaguid module by write parameters to files under sys_fs. The file and directory related is properly labled. Bug: 68774956 Bug: 30950746 Test: qtaguid function still working after the native function is redirected. Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b
2017-10-24 14:40:53 -07:00
# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
# complete
allow netd qtaguid_proc:file rw_file_perms;
Allow netd to read the /dev/xt_qtaguid After move qtaguid control interface into netd. Netd need to open the xt_qtaguid resource tracking misc dev to make sure xt_qtaguid module is successfully initialized before taking action. This selinux rule change allows netd to do so and it is the same privilege normal apps currently have. Test: No more selinux denials on netd access qtaguid_device Bug: 30950746 Change-Id: I79a98bbda3f3fdb85140a06a7532cdcc4354c518
2017-11-15 11:18:44 -08:00
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file r_file_perms;
sepolicy: allow netd to write to qtaguid file Since all qtaguid related userspace implementation are moved into netd and will use netd to choose which module to run at run time. Netd module should be the only process can directly read/write to the ctrl file of qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant netd the privilege to access qtaguid proc files. It also grant netd the permission to control trigger to turn on and off qtaguid module by write parameters to files under sys_fs. The file and directory related is properly labled. Bug: 68774956 Bug: 30950746 Test: qtaguid function still working after the native function is redirected. Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b
2017-10-24 14:40:53 -07:00
domain_deprecated.te: remove /proc/net access Remove /proc/net access to domain_deprecated. Add it to domains where it was missing before. Other than these domains, SELinux denial monitoring hasn't picked up any denials related to /proc/net Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
2016-11-30 15:22:18 -08:00
r_dir_file(netd, proc_net)
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
# For /proc/sys/net/ipv[46]/route/flush.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow netd proc_net:file rw_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
Define explicit label for wlan sysfs fwpath avc: denied { write } for name="fwpath" dev="sysfs" ino=6863 scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 Test: wificond and netd can write to this path, wifi works Test: `runtest frameworks-wifi` passes Bug: 29579539 Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994 (cherry picked from commit 7d13dd806f37523ba8164325fef9b000d6eacd7c)
2016-06-30 14:23:12 -07:00
# Enables PppController and interface enumeration (among others)
Restrict netd fwk policy. Remove netd access to sysfs_type attribute. These were moved from vendor to fwk policy: 1. sysfs_net type declaration 2. labeling of /sys/devices/virtual/net with sysfs_net 3. netd access to sysfs_net Bug: 65643247 Test: can browse internet without netd denials Test: netd_unit_test, netd_integration_test without netd denials Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e (cherry picked from commit e62a56b717acbf0f2152fd92f839953395b741a3)
2017-10-01 15:53:01 -07:00
allow netd sysfs:dir r_dir_perms;
r_dir_file(netd, sysfs_net)
Define explicit label for wlan sysfs fwpath avc: denied { write } for name="fwpath" dev="sysfs" ino=6863 scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 Test: wificond and netd can write to this path, wifi works Test: `runtest frameworks-wifi` passes Bug: 29579539 Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994 (cherry picked from commit 7d13dd806f37523ba8164325fef9b000d6eacd7c)
2016-06-30 14:23:12 -07:00
# Allows setting interface MTU
Restrict netd fwk policy. Remove netd access to sysfs_type attribute. These were moved from vendor to fwk policy: 1. sysfs_net type declaration 2. labeling of /sys/devices/virtual/net with sysfs_net 3. netd access to sysfs_net Bug: 65643247 Test: can browse internet without netd denials Test: netd_unit_test, netd_integration_test without netd denials Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e (cherry picked from commit e62a56b717acbf0f2152fd92f839953395b741a3)
2017-10-01 15:53:01 -07:00
allow netd sysfs_net:file w_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
Keep pre-existing sysfs write permissions. Commit: b144ebab482891cef32ee84c06dbb0f943823573 added the sysfs_usb type and granted the read perms globally, but did not add write permissions for all domains that previously had them. Add the ability to write to sysfs_usb for all domains that had the ability to write to those files previously (sysfs). Address denials such as: type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0 Bug: 28417852 Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
2016-06-14 13:41:47 -07:00
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
sepolicy: Allow mount cgroupv2 and bpf fs Some necessary sepolicy rule changes for init process to create directory, mount cgroupv2 module and mount bpf filesystem. Also allow netd to create and pin bpf object as files and read it back from file under the directory where bpf filesystem is mounted. Test: bpf maps show up under /sys/fs/bpf/ Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
2017-08-01 18:06:18 -07:00
allow netd fs_bpf:dir create_dir_perms;
allow netd fs_bpf:file create_file_perms;
Remove WiFi permissions from netd Bug: 30041228 Test: WiFi tethering, client mode continues to function Change-Id: I95a583ad4d57642f4731e415abb77732df5289ac (cherry picked from commit fb5b13ee31e8fb224608b521fe337458be838b02)
2016-07-22 16:34:08 -07:00
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow netd self:global_capability_class_set { dac_override chown };
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
Allow netd to create data files in /data/misc/net/. This will be used to populate rt_tables (a mapping from routing table numbers to table names) that's read by the iproute2 utilities. Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-07 22:04:57 -07:00
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow netd self:global_capability_class_set fowner;
Allow netd to create data files in /data/misc/net/. This will be used to populate rt_tables (a mapping from routing table numbers to table names) that's read by the iproute2 utilities. Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-07 22:04:57 -07:00
Explicitly allow netd to take the iptables lock. This was previously relying on domain_deprecated rules deleted in change I588a1e7ea7ef984907b79a5a391efb2dcd6e6431. Bug: 28760354 Test: unbreaks networking on AOSP bullhead Change-Id: I873e1f08f72104dee7509e45b1db0b284ca56085
2017-07-16 01:48:39 -07:00
# Needed to lock the iptables lock.
allow netd system_file:file lock;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
Fix clatd, broken by selinux policing /dev/tun Bug: 10175701 Change-Id: I185df22bdbaafd56725760ec6c71340b67455046
2013-08-04 23:32:56 -07:00
# Allow netd to start clatd in its own domain
allow netd clatd:process signal;
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-04 18:22:45 -07:00
set_prop(netd, ctl_mdnsd_prop)
Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret." This change must only be submitted when device-specific policies have been reverted. This reverts commit 07e631d2e0a01226ea83e517305d1eceb1b1a158. Bug: 17613910 Test: builds Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
2017-07-10 17:43:19 -07:00
set_prop(netd, netd_stable_secret_prop)
remove "self:process ptrace" from domain, netd neverallow rules Remove "self:process ptrace" from all SELinux enforced domains. In general, a process should never need to ptrace itself. We can add this back to more narrowly scoped domains as needed. Add a bunch of neverallow assertions to netd.te, to verify that netd never gets unexpected capabilities. Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
2016-02-18 06:55:51 -08:00
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
te_macros: introduce add_service() macro Introduce the add_service() macro which wraps up add/find permissions for the source domain with a neverallow preventing others from adding it. Only a particular domain should add a particular service. Use the add_service() macro to automatically add a neverallow that prevents other domains from adding the service. mediadrmserver was adding services labeled mediaserver_service. Drop the add permission as it should just need the find permission. Additionally, the macro adds the { add find } permission which causes some existing neverallow's to assert. Adjust those neverallow's so "self" can always find. Test: compile and run on hikey and emulator. No new denials were found, and all services, where applicable, seem to be running OK. Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-19 13:23:52 -08:00
add_service(netd, netd_service)
Allow bugreports to dump the native netd service state. Bug: 28251026 Change-Id: I73dce178b873d45e703896f12c10325af2ade81d
2016-04-18 16:05:44 -07:00
allow netd dumpstate:fifo_file { getattr write };
Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
2016-02-18 06:55:51 -08:00
# Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call;
Allow netd to check permissions. Bug: 27239233 Change-Id: I82e3451542f08de67ad950223be90e37a2d3e899
2016-03-02 05:55:17 -08:00
allow netd permission_service:service_manager find;
Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
2016-02-18 06:55:51 -08:00
Change name in the rules after renaming dns_listener -> netd_listener Change-Id: I4737a087f2d00e1028d1cb43d9eda814a008dbe8
2016-09-01 02:08:57 -07:00
# Allow netd to talk to the framework service which collects netd events.
allow netd netd_listener_service:service_manager find;
selinux changes for DNS metrics. 1. Allow the system server to create the dns_listener service. 2. Allow netd to use said service. Change-Id: Ic6394d7b2bdebf1c4d6cf70a79754a4996e943e2
2016-04-13 08:14:58 -07:00
Introduce fwmarkd: a service to set the fwmark of sockets. (cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907) Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-01 11:12:10 -07:00
# Allow netd to operate on sockets that are passed to it.
netd.te: drop dccp_socket support No SELinux domains can create dccp_socket instances, so it doesn't make any sense to allow netd to minipulate already-open dccp sockets. Bug: 35784697 Test: policy compiles. Change-Id: I189844462cbab58ed58c24fbad6a392f6b035815
2017-02-27 09:21:11 -08:00
allow netd netdomain:{
tcp_socket
udp_socket
rawip_socket
tun_socket
} { read write getattr setattr getopt setopt };
Introduce fwmarkd: a service to set the fwmark of sockets. (cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907) Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-01 11:12:10 -07:00
allow netd netdomain:fd use;
Update Common NetD SEPolicy to allow Netlink XFRM In order to perform XFRM operations NetD needs the ability to both read and write Netlink XFRM messages. Bug: 34811756 Test: 34812052 Change-Id: I26831c58b24a4c1f344b113f0b5cf47ed2c93fee (cherry picked from commit 7eb3dd3b02693852d6dee1e8e1135d3d9b201b86)
2017-03-01 20:29:21 -08:00
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
sepolicy: New sepolicy classes and rules about bpf object Add the new classes for eBPF map and program to limit the access to eBPF object. Add corresponding rules to allow netd module initialize bpf programs and maps, use the program and read/wirte to eBPF maps. Test: no bpf sepolicy violations when device boot Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
2017-08-22 18:33:46 -07:00
# give netd permission to use eBPF functionalities
Add sepolicy to lock down bpf access Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-02 15:31:18 -08:00
allow netd self:bpf { map_create map_read map_write };
sepolicy: New sepolicy classes and rules about bpf object Add the new classes for eBPF map and program to limit the access to eBPF object. Add corresponding rules to allow netd module initialize bpf programs and maps, use the program and read/wirte to eBPF maps. Test: no bpf sepolicy violations when device boot Change-Id: I63c35cd60f1972d4fb36ef2408da8d5f2246f7fd
2017-08-22 18:33:46 -07:00
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
get_prop(netd, hwservicemanager_prop)
remove "self:process ptrace" from domain, netd neverallow rules Remove "self:process ptrace" from all SELinux enforced domains. In general, a process should never need to ptrace itself. We can add this back to more narrowly scoped domains as needed. Add a bunch of neverallow assertions to netd.te, to verify that netd never gets unexpected capabilities. Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
###
### Neverallow rules
###
### netd should NEVER do any of this
# Block device access.
neverallow netd dev_type:blk_file { read write };
# ptrace any other app
neverallow netd { domain }:process ptrace;
# Write to /system.
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
Revert "Revert "netd: restrict netd binder access to system_server"" This reverts commit b5594c2781c1bd03a083c77164f0809ed4a69422. Bug: 27239233 Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2
2016-03-02 05:57:34 -08:00
netd: relax binder neverallow rules for hwservices Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
2017-07-26 12:53:21 -07:00
# only system_server and dumpstate may find netd service
te_macros: introduce add_service() macro Introduce the add_service() macro which wraps up add/find permissions for the source domain with a neverallow preventing others from adding it. Only a particular domain should add a particular service. Use the add_service() macro to automatically add a neverallow that prevents other domains from adding the service. mediadrmserver was adding services labeled mediaserver_service. Drop the add permission as it should just need the find permission. Additionally, the macro adds the { add find } permission which causes some existing neverallow's to assert. Adjust those neverallow's so "self" can always find. Test: compile and run on hikey and emulator. No new denials were found, and all services, where applicable, seem to be running OK. Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-19 13:23:52 -08:00
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
netd: relax binder neverallow rules for hwservices Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
2017-07-26 12:53:21 -07:00
Add sepolicy to lock down bpf access Add a new set of sepolicy for the process that only netd use to load and run ebpf programs. It is the only process that can load eBPF programs into the kernel and is only used to do that. Add some neverallow rules regarding which processes have access to bpf objects. Test: program successfully loaded and pinned at sys/fs/bpf after device boot. No selinux violation for bpfloader Bug: 30950746 Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f
2018-01-02 15:31:18 -08:00
# only netd can create the bpf maps
neverallow { domain -netd } netd:bpf { map_create };
netd: relax binder neverallow rules for hwservices Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
2017-07-26 12:53:21 -07:00
# apps may not interact with netd over binder.
neverallow appdomain netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
Revert "Temporarily revert the SELinux policy for persist.netd.stable_secret." This change must only be submitted when device-specific policies have been reverted. This reverts commit 07e631d2e0a01226ea83e517305d1eceb1b1a158. Bug: 17613910 Test: builds Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272
2017-07-10 17:43:19 -07:00
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
netd: silence innocuous denials to /proc and /sys Bug: 74586749 Test: build policy Change-Id: I72a3b7c38eb9030ffac0d2dde23a9ff7c26fd70a
2018-03-16 16:08:31 -07:00
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
neverallow netd proc_net:dir no_w_dir_perms;
dontaudit netd proc_net:dir write;
neverallow netd sysfs_net:dir no_w_dir_perms;
dontaudit netd sysfs_net:dir write;
Reference in New Issue Copy Permalink