Introduce fwmarkd: a service to set the fwmark of sockets.

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-01 11:12:10 -07:00 · 2014-05-01 11:12:10 -07:00 · f74d781138
commit f74d781138
parent f1f467f10f
5 changed files with 12 additions and 0 deletions
--- a/file.te
+++ b/file.te
@ -118,6 +118,7 @@ type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
 type dumpstate_socket, file_type;
+type fwmarkd_socket, file_type, mlstrustedobject;
 type gps_socket, file_type;
 type installd_socket, file_type;
 type lmkd_socket, file_type;
--- a/1
+++ b/1
@ -79,6 +79,7 @@
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
 /dev/socket/gps		u:object_r:gps_socket:s0
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0
--- a/net.te
+++ b/net.te
@ -18,5 +18,8 @@ allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)

+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
 # Connect to mdnsd via mdnsd socket.
 unix_socket_connect(netdomain, mdnsd, mdnsd)
--- a/netd.te
+++ b/netd.te
@ -58,6 +58,10 @@ allow netd clatd:process signal;

 allow netd ctl_mdnsd_prop:property_service set;

+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
+allow netd netdomain:fd use;
+
 ###
 ### Neverallow rules
 ###
--- a/su.te
+++ b/su.te
@ -21,6 +21,9 @@ userdebug_or_eng(`
  allow su su_tmpfs:file execute;
  allow su debuggerd_prop:property_service set;

+  # Make su a net domain.
+  net_domain(su)
+
  # su is also permissive to permit setenforce.
  permissive su;