• Home
  • Raw
  • Download

Lines Matching refs:netd

2 type netd, domain, mlstrustedsubject;
5 net_domain(netd)
6 # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
7 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
9 r_dir_file(netd, cgroup)
11 allow netd system_server:fd use;
13 allow netd self:global_capability_class_set { net_admin net_raw kill };
19 # for netd to operate.
20 dontaudit netd self:global_capability_class_set fsetid;
22 # Allow netd to open /dev/tun, set it up and pass it to clatd
23 allow netd tun_device:chr_file rw_file_perms;
24 allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
25 allow netd self:tun_socket create;
27 allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
28 allow netd self:netlink_route_socket nlmsg_write;
29 allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
30 allow netd self:netlink_socket create_socket_perms_no_ioctl;
31 allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
32 allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
33 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
34 allow netd shell_exec:file rx_file_perms;
35 allow netd system_file:file x_file_perms;
36 not_full_treble(`allow netd vendor_file:file x_file_perms;')
37 allow netd devpts:chr_file rw_file_perms;
41 allow netd system_file:file lock;
42 dontaudit netd system_file:dir write;
44 # Allow netd to write to qtaguid ctrl file.
47 allow netd proc_qtaguid_ctrl:file rw_file_perms;
48 # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
49 allow netd qtaguid_device:chr_file r_file_perms;
51 r_dir_file(netd, proc_net_type)
53 allow netd proc_net_type:file rw_file_perms;
56 allow netd sysfs:dir r_dir_perms;
57 r_dir_file(netd, sysfs_net)
60 allow netd sysfs_net:file w_file_perms;
63 allow netd sysfs_usb:file write;
65 r_dir_file(netd, cgroup_v2)
67 allow netd fs_bpf:dir search;
68 allow netd fs_bpf:file { read write };
70 # TODO: netd previously thought it needed these permissions to do WiFi related
73 allow netd self:global_capability_class_set { dac_override dac_read_search chown };
76 allow netd net_data_file:file create_file_perms;
77 allow netd net_data_file:dir rw_dir_perms;
78 allow netd self:global_capability_class_set fowner;
81 allow netd system_file:file lock;
83 # Allow netd to spawn dnsmasq in it's own domain
84 allow netd dnsmasq:process signal;
86 # Allow netd to publish a binder service and make binder calls.
87 binder_use(netd)
88 add_service(netd, netd_service)
89 add_service(netd, dnsresolver_service)
90 allow netd dumpstate:fifo_file  { getattr write };
92 # Allow netd to call into the system server so it can check permissions.
93 allow netd system_server:binder call;
94 allow netd permission_service:service_manager find;
96 # Allow netd to talk to the framework service which collects netd events.
97 allow netd netd_listener_service:service_manager find;
99 # Allow netd to operate on sockets that are passed to it.
100 allow netd netdomain:{
107 allow netd netdomain:fd use;
109 # give netd permission to read and write netlink xfrm
110 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
112 # Allow netd to register as hal server.
113 add_hwservice(netd, system_net_netd_hwservice)
114 hwbinder_use(netd)
119 ### netd should NEVER do any of this
122 neverallow netd dev_type:blk_file { read write };
125 neverallow netd { domain }:process ptrace;
128 neverallow netd system_file:dir_file_class_set write;
131 neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
133 # only system_server, dumpstate and network stack app may find netd service
139     -netd
149     -netd
153 # apps may not interact with netd over binder.
154 neverallow { appdomain -network_stack } netd:binder call;
155 neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
160 neverallow netd proc_net:dir no_w_dir_perms;
161 dontaudit netd proc_net:dir write;
163 neverallow netd sysfs_net:dir no_w_dir_perms;
164 dontaudit netd sysfs_net:dir write;
167 neverallow netd self:capability sys_admin;
168 dontaudit netd self:capability sys_admin;
172 dontaudit netd self:capability sys_module;
174 dontaudit netd kernel:system module_request;
176 dontaudit netd appdomain:unix_stream_socket { read write };