• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1typeattribute netutils_wrapper coredomain;
2typeattribute netutils_wrapper bpfdomain;
3
4r_dir_file(netutils_wrapper, system_file);
5
6# For netutils (ip, iptables, tc)
7allow netutils_wrapper self:global_capability_class_set net_raw;
8
9allow netutils_wrapper system_file:file { execute execute_no_trans };
10allow netutils_wrapper proc_net_type:file { open read getattr };
11allow netutils_wrapper self:rawip_socket create_socket_perms;
12allow netutils_wrapper self:udp_socket create_socket_perms;
13allow netutils_wrapper self:global_capability_class_set net_admin;
14# ip utils need everything but ioctl
15allow netutils_wrapper self:netlink_route_socket ~ioctl;
16allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
17
18# For netutils (ndc) to be able to talk to netd
19allow netutils_wrapper netd_service:service_manager find;
20allow netutils_wrapper dnsresolver_service:service_manager find;
21allow netutils_wrapper mdns_service:service_manager find;
22binder_use(netutils_wrapper);
23binder_call(netutils_wrapper, netd);
24
25# For vendor code that update the iptables rules at runtime. They need to reload
26# the whole chain including the xt_bpf rules. They need to access to the pinned
27# program when reloading the rule.
28allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
29allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
30allow netutils_wrapper { fs_bpf                    }:file write;
31allow netutils_wrapper bpfloader:bpf prog_run;
32
33# For /data/misc/net access to ndc and ip
34r_dir_file(netutils_wrapper, net_data_file)
35
36domain_auto_trans({
37    domain
38    -coredomain
39    -appdomain
40}, netutils_wrapper_exec, netutils_wrapper)
41
42# suppress spurious denials
43dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
44dontaudit netutils_wrapper sysfs_type:file read;
45
46# netutils wrapper may only use the following capabilities.
47neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
48