| # network manager |
| type netd, domain, mlstrustedsubject; |
| type netd_exec, system_file_type, exec_type, file_type; |
| |
| net_domain(netd) |
| # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. |
| allowxperm netd self:udp_socket ioctl priv_sock_ioctls; |
| |
| r_dir_file(netd, cgroup) |
| |
| allow netd system_server:fd use; |
| |
| allow netd self:global_capability_class_set { net_admin net_raw kill }; |
| # Note: fsetid is deliberately not included above. fsetid checks are |
| # triggered by chmod on a directory or file owned by a group other |
| # than one of the groups assigned to the current process to see if |
| # the setgid bit should be cleared, regardless of whether the setgid |
| # bit was even set. We do not appear to truly need this capability |
| # for netd to operate. |
| dontaudit netd self:global_capability_class_set fsetid; |
| |
| # Allow netd to open /dev/tun, set it up and pass it to clatd |
| allow netd tun_device:chr_file rw_file_perms; |
| allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; |
| allow netd self:tun_socket create; |
| |
| allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; |
| allow netd self:netlink_route_socket nlmsg_write; |
| allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl; |
| allow netd self:netlink_socket create_socket_perms_no_ioctl; |
| allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; |
| allow netd self:netlink_generic_socket create_socket_perms_no_ioctl; |
| allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl; |
| allow netd shell_exec:file rx_file_perms; |
| allow netd system_file:file x_file_perms; |
| not_full_treble(`allow netd vendor_file:file x_file_perms;') |
| allow netd devpts:chr_file rw_file_perms; |
| |
| # Acquire advisory lock on /system/etc/xtables.lock |
| allow netd system_file:file lock; |
| |
| # Allow netd to write to qtaguid ctrl file. |
| # TODO: Add proper rules to prevent other process to access qtaguid_proc file |
| # after migration complete |
| allow netd proc_qtaguid_ctrl:file rw_file_perms; |
| # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. |
| allow netd qtaguid_device:chr_file r_file_perms; |
| |
| r_dir_file(netd, proc_net_type) |
| # For /proc/sys/net/ipv[46]/route/flush. |
| allow netd proc_net_type:file rw_file_perms; |
| |
| # Enables PppController and interface enumeration (among others) |
| allow netd sysfs:dir r_dir_perms; |
| r_dir_file(netd, sysfs_net) |
| |
| # Allows setting interface MTU |
| allow netd sysfs_net:file w_file_perms; |
| |
| # TODO: added to match above sysfs rule. Remove me? |
| allow netd sysfs_usb:file write; |
| |
| r_dir_file(netd, cgroup_bpf) |
| |
| allow netd fs_bpf:dir search; |
| allow netd fs_bpf:file { read write }; |
| |
| # TODO: netd previously thought it needed these permissions to do WiFi related |
| # work. However, after all the WiFi stuff is gone, we still need them. |
| # Why? |
| allow netd self:global_capability_class_set { dac_override dac_read_search chown }; |
| |
| # Needed to update /data/misc/net/rt_tables |
| allow netd net_data_file:file create_file_perms; |
| allow netd net_data_file:dir rw_dir_perms; |
| allow netd self:global_capability_class_set fowner; |
| |
| # Needed to lock the iptables lock. |
| allow netd system_file:file lock; |
| |
| # Allow netd to spawn dnsmasq in it's own domain |
| allow netd dnsmasq:process signal; |
| |
| set_prop(netd, ctl_mdnsd_prop) |
| set_prop(netd, netd_stable_secret_prop) |
| |
| # Allow netd to publish a binder service and make binder calls. |
| binder_use(netd) |
| add_service(netd, netd_service) |
| add_service(netd, dnsresolver_service) |
| allow netd dumpstate:fifo_file { getattr write }; |
| |
| # Allow netd to call into the system server so it can check permissions. |
| allow netd system_server:binder call; |
| allow netd permission_service:service_manager find; |
| |
| # Allow netd to talk to the framework service which collects netd events. |
| allow netd netd_listener_service:service_manager find; |
| |
| # Allow netd to operate on sockets that are passed to it. |
| allow netd netdomain:{ |
| icmp_socket |
| tcp_socket |
| udp_socket |
| rawip_socket |
| tun_socket |
| } { read write getattr setattr getopt setopt }; |
| allow netd netdomain:fd use; |
| |
| # give netd permission to read and write netlink xfrm |
| allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; |
| |
| # Allow netd to register as hal server. |
| add_hwservice(netd, system_net_netd_hwservice) |
| hwbinder_use(netd) |
| get_prop(netd, hwservicemanager_prop) |
| get_prop(netd, device_config_netd_native_prop) |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### netd should NEVER do any of this |
| |
| # Block device access. |
| neverallow netd dev_type:blk_file { read write }; |
| |
| # ptrace any other app |
| neverallow netd { domain }:process ptrace; |
| |
| # Write to /system. |
| neverallow netd system_file:dir_file_class_set write; |
| |
| # Write to files in /data/data or system files on /data |
| neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write; |
| |
| # only system_server, dumpstate and network stack app may find netd service |
| neverallow { |
| domain |
| -system_server |
| -dumpstate |
| -network_stack |
| -netd |
| -netutils_wrapper |
| } netd_service:service_manager find; |
| |
| # only system_server, dumpstate and network stack app may find dnsresolver service |
| neverallow { |
| domain |
| -system_server |
| -dumpstate |
| -network_stack |
| -netd |
| -netutils_wrapper |
| } dnsresolver_service:service_manager find; |
| |
| # apps may not interact with netd over binder. |
| neverallow { appdomain -network_stack } netd:binder call; |
| neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call; |
| |
| # persist.netd.stable_secret contains RFC 7217 secret key which should never be |
| # leaked to other processes. Make sure it never leaks. |
| neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms; |
| |
| # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, |
| # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. |
| neverallow { domain -netd -init } netd_stable_secret_prop:property_service set; |
| |
| # If an already existing file is opened with O_CREATE, the kernel might generate |
| # a false report of a create denial. Silence these denials and make sure that |
| # inappropriate permissions are not granted. |
| neverallow netd proc_net:dir no_w_dir_perms; |
| dontaudit netd proc_net:dir write; |
| |
| neverallow netd sysfs_net:dir no_w_dir_perms; |
| dontaudit netd sysfs_net:dir write; |
| |
| # Netd should not have SYS_ADMIN privs. |
| neverallow netd self:capability sys_admin; |
| dontaudit netd self:capability sys_admin; |
| |
| # Netd should not have SYS_MODULE privs, nor should it be requesting module loads |
| # (things it requires should be built directly into the kernel) |
| dontaudit netd self:capability sys_module; |
| |
| dontaudit netd kernel:system module_request; |