• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1## Network types
2type node, node_type;
3type netif, netif_type;
4type port, port_type;
5
6###
7### Domain with network access
8###
9
10# Use network sockets.
11allow netdomain self:tcp_socket create_stream_socket_perms;
12allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
13
14# Connect to ports.
15allow netdomain port_type:tcp_socket name_connect;
16# Bind to ports.
17allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
18allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
19allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
20# See changes to the routing table.
21allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
22# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
23# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
24# to avoid app-compat breakage.
25allow {
26  netdomain
27  -ephemeral_app
28  -mediaprovider
29  -untrusted_app_all
30} self:netlink_route_socket { bind nlmsg_readpriv };
31
32# Talks to netd via dnsproxyd socket.
33unix_socket_connect(netdomain, dnsproxyd, netd)
34
35# Talks to netd via fwmarkd socket.
36unix_socket_connect(netdomain, fwmarkd, netd)
37
38# Connect to mdnsd via mdnsd socket.
39unix_socket_connect(netdomain, mdnsd, mdnsd)
40