• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# network manager
2type netd, domain, mlstrustedsubject;
3type netd_exec, system_file_type, exec_type, file_type;
4
5net_domain(netd)
6# Connect to mdnsd via mdnsd socket.
7unix_socket_connect(netd, mdnsd, mdnsd)
8# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
9allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
10
11r_dir_file(netd, cgroup)
12
13allow netd system_server:fd use;
14
15allow netd self:global_capability_class_set { net_admin net_raw kill };
16# Note: fsetid is deliberately not included above. fsetid checks are
17# triggered by chmod on a directory or file owned by a group other
18# than one of the groups assigned to the current process to see if
19# the setgid bit should be cleared, regardless of whether the setgid
20# bit was even set.  We do not appear to truly need this capability
21# for netd to operate.
22dontaudit netd self:global_capability_class_set fsetid;
23
24# Allow netd to open /dev/tun, set it up and pass it to clatd
25allow netd tun_device:chr_file rw_file_perms;
26allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
27allow netd self:tun_socket create;
28
29allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
30allow netd self:netlink_route_socket nlmsg_write;
31allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
32allow netd self:netlink_socket create_socket_perms_no_ioctl;
33allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
34allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
35allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
36allow netd shell_exec:file rx_file_perms;
37allow netd system_file:file x_file_perms;
38not_full_treble(`allow netd vendor_file:file x_file_perms;')
39allow netd devpts:chr_file rw_file_perms;
40
41# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
42# exist, suppress the denial.
43allow netd system_file:file lock;
44dontaudit netd system_file:dir write;
45
46# Allow netd to write to qtaguid ctrl file.
47# TODO: Add proper rules to prevent other process to access qtaguid_proc file
48# after migration complete
49allow netd proc_qtaguid_ctrl:file rw_file_perms;
50# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
51allow netd qtaguid_device:chr_file r_file_perms;
52
53r_dir_file(netd, proc_net_type)
54# For /proc/sys/net/ipv[46]/route/flush.
55allow netd proc_net_type:file rw_file_perms;
56
57# Enables PppController and interface enumeration (among others)
58allow netd sysfs:dir r_dir_perms;
59r_dir_file(netd, sysfs_net)
60
61# Allows setting interface MTU
62allow netd sysfs_net:file w_file_perms;
63
64# TODO: added to match above sysfs rule. Remove me?
65allow netd sysfs_usb:file write;
66
67r_dir_file(netd, cgroup_v2)
68
69# TODO: netd previously thought it needed these permissions to do WiFi related
70#       work.  However, after all the WiFi stuff is gone, we still need them.
71#       Why?
72allow netd self:global_capability_class_set { dac_override dac_read_search chown };
73
74# Needed to update /data/misc/net/rt_tables
75allow netd net_data_file:file create_file_perms;
76allow netd net_data_file:dir rw_dir_perms;
77allow netd self:global_capability_class_set fowner;
78
79# Needed to lock the iptables lock.
80allow netd system_file:file lock;
81
82# Allow netd to spawn dnsmasq in it's own domain
83allow netd dnsmasq:process signal;
84
85# Allow netd to publish a binder service and make binder calls.
86binder_use(netd)
87add_service(netd, netd_service)
88add_service(netd, dnsresolver_service)
89add_service(netd, mdns_service)
90allow netd dumpstate:fifo_file  { getattr write };
91
92# Allow netd to call into the system server so it can check permissions.
93allow netd system_server:binder call;
94allow netd permission_service:service_manager find;
95
96# Allow netd to talk to the framework service which collects netd events.
97allow netd netd_listener_service:service_manager find;
98
99# Allow netd to operate on sockets that are passed to it.
100allow netd netdomain:{
101  icmp_socket
102  tcp_socket
103  udp_socket
104  rawip_socket
105  tun_socket
106} { read write getattr setattr getopt setopt };
107allow netd netdomain:fd use;
108
109# give netd permission to read and write netlink xfrm
110allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
111
112# Allow netd to register as hal server.
113add_hwservice(netd, system_net_netd_hwservice)
114hwbinder_use(netd)
115
116# AIDL hal server
117binder_call(system_net_netd_service, servicemanager)
118add_service(netd, system_net_netd_service)
119
120###
121### Neverallow rules
122###
123### netd should NEVER do any of this
124
125# Block device access.
126neverallow netd dev_type:blk_file { read write };
127
128# ptrace any other app
129neverallow netd { domain }:process ptrace;
130
131# Write to /system.
132neverallow netd system_file:dir_file_class_set write;
133
134# Write to files in /data/data or system files on /data
135neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
136
137# only system_server, dumpstate and network stack app may find netd service
138neverallow {
139    domain
140    -system_server
141    -dumpstate
142    -network_stack
143    -netd
144    -netutils_wrapper
145} netd_service:service_manager find;
146
147# only system_server, dumpstate and network stack app may find dnsresolver service
148neverallow {
149    domain
150    -system_server
151    -dumpstate
152    -network_stack
153    -netd
154    -netutils_wrapper
155} dnsresolver_service:service_manager find;
156
157# only system_server, dumpstate and network stack app may find mdns service
158neverallow {
159    domain
160    -system_server
161    -dumpstate
162    -network_stack
163    -netd
164    -netutils_wrapper
165} mdns_service:service_manager find;
166
167# apps may not interact with netd over binder.
168neverallow { appdomain -network_stack } netd:binder call;
169neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
170
171# If an already existing file is opened with O_CREATE, the kernel might generate
172# a false report of a create denial. Silence these denials and make sure that
173# inappropriate permissions are not granted.
174neverallow netd proc_net:dir no_w_dir_perms;
175dontaudit netd proc_net:dir write;
176
177neverallow netd sysfs_net:dir no_w_dir_perms;
178dontaudit netd sysfs_net:dir write;
179
180# Netd should not have SYS_ADMIN privs.
181neverallow netd self:capability sys_admin;
182dontaudit netd self:capability sys_admin;
183
184# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
185# (things it requires should be built directly into the kernel)
186dontaudit netd self:capability sys_module;
187
188dontaudit netd kernel:system module_request;
189
190dontaudit netd appdomain:unix_stream_socket { read write };
191