sepolicy - move public clatd to private
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary. Netd is it's only launcher (via fork/exec) and
killer.
Generated via:
{ echo; cat public/clatd.te; echo; } >> private/clatd.te
rm -f public/clatd.te
plus a minor edit to put coredomain after clatd type declaration
and required changes to move netd's clatd use out of public into private.
Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
This commit is contained in:
Maciej Żenczykowski
parent
8f5436a19a
commit
44328c061d
@ -1 +1,36 @@
|
||||
typeattribute clatd coredomain;
|
||||
# 464xlat daemon
|
||||
type clatd, domain, coredomain;
|
||||
type clatd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
net_domain(clatd)
|
||||
|
||||
r_dir_file(clatd, proc_net_type)
|
||||
userdebug_or_eng(`
|
||||
auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
|
||||
')
|
||||
|
||||
# Access objects inherited from netd.
|
||||
allow clatd netd:fd use;
|
||||
allow clatd netd:fifo_file { read write };
|
||||
# TODO: Check whether some or all of these sockets should be close-on-exec.
|
||||
allow clatd netd:netlink_kobject_uevent_socket { read write };
|
||||
allow clatd netd:netlink_nflog_socket { read write };
|
||||
allow clatd netd:netlink_route_socket { read write };
|
||||
allow clatd netd:udp_socket { read write };
|
||||
allow clatd netd:unix_stream_socket { read write };
|
||||
allow clatd netd:unix_dgram_socket { read write };
|
||||
|
||||
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
|
||||
|
||||
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
|
||||
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
|
||||
# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
|
||||
# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
|
||||
# so we permit any requests we see from clatd asking for this capability.
|
||||
# See https://android-review.googlesource.com/127940 and
|
||||
# https://b.corp.google.com/issues/21736319
|
||||
allow clatd self:global_capability_class_set ipc_lock;
|
||||
|
||||
allow clatd self:netlink_route_socket nlmsg_write;
|
||||
allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
|
||||
allow clatd tun_device:chr_file rw_file_perms;
|
||||
|
||||
@ -5,8 +5,9 @@ init_daemon_domain(netd)
|
||||
# Allow netd to spawn dnsmasq in it's own domain
|
||||
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
|
||||
|
||||
# Allow netd to start clatd in its own domain
|
||||
# Allow netd to start clatd in its own domain and kill it
|
||||
domain_auto_trans(netd, clatd_exec, clatd)
|
||||
allow netd clatd:process signal;
|
||||
|
||||
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
|
||||
# the map created by bpfloader
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
# 464xlat daemon
|
||||
type clatd, domain;
|
||||
type clatd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
net_domain(clatd)
|
||||
|
||||
r_dir_file(clatd, proc_net_type)
|
||||
userdebug_or_eng(`
|
||||
auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
|
||||
')
|
||||
|
||||
# Access objects inherited from netd.
|
||||
allow clatd netd:fd use;
|
||||
allow clatd netd:fifo_file { read write };
|
||||
# TODO: Check whether some or all of these sockets should be close-on-exec.
|
||||
allow clatd netd:netlink_kobject_uevent_socket { read write };
|
||||
allow clatd netd:netlink_nflog_socket { read write };
|
||||
allow clatd netd:netlink_route_socket { read write };
|
||||
allow clatd netd:udp_socket { read write };
|
||||
allow clatd netd:unix_stream_socket { read write };
|
||||
allow clatd netd:unix_dgram_socket { read write };
|
||||
|
||||
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
|
||||
|
||||
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
|
||||
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
|
||||
# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
|
||||
# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
|
||||
# so we permit any requests we see from clatd asking for this capability.
|
||||
# See https://android-review.googlesource.com/127940 and
|
||||
# https://b.corp.google.com/issues/21736319
|
||||
allow clatd self:global_capability_class_set ipc_lock;
|
||||
|
||||
allow clatd self:netlink_route_socket nlmsg_write;
|
||||
allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
|
||||
allow clatd tun_device:chr_file rw_file_perms;
|
||||
@ -81,9 +81,6 @@ allow netd system_file:file lock;
|
||||
# Allow netd to spawn dnsmasq in it's own domain
|
||||
allow netd dnsmasq:process signal;
|
||||
|
||||
# Allow netd to start clatd in its own domain
|
||||
allow netd clatd:process signal;
|
||||
|
||||
set_prop(netd, ctl_mdnsd_prop)
|
||||
set_prop(netd, netd_stable_secret_prop)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user