blob: 41ae9ecf04f43d70b236c811a783011829ed21ea [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -05001# network manager
Jeff Vander Stoep76aab822017-05-15 13:19:03 -07002type netd, domain, mlstrustedsubject;
Nick Kralevich5e372712018-09-27 10:21:37 -07003type netd_exec, system_file_type, exec_type, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -05004
Nick Kralevichbc190502013-12-15 19:04:09 -08005net_domain(netd)
Yuyang Huangcfdea5f2023-01-18 16:52:43 +09006# Connect to mdnsd via mdnsd socket.
7unix_socket_connect(netd, mdnsd, mdnsd)
Jeff Sharkeya0e7a6d2020-07-31 12:28:11 -06008# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
Jeff Vander Stoepbff98012016-05-16 21:12:17 -07009allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
Nick Kralevichbc190502013-12-15 19:04:09 -080010
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -070011r_dir_file(netd, cgroup)
Chenbo Feng566411e2018-01-02 15:31:18 -080012
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -070013allow netd system_server:fd use;
14
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070015allow netd self:global_capability_class_set { net_admin net_raw kill };
Stephen Smalleyd581b812014-02-24 13:00:59 -050016# Note: fsetid is deliberately not included above. fsetid checks are
17# triggered by chmod on a directory or file owned by a group other
18# than one of the groups assigned to the current process to see if
19# the setgid bit should be cleared, regardless of whether the setgid
20# bit was even set. We do not appear to truly need this capability
Nick Kralevich8d200812015-04-02 15:36:51 -070021# for netd to operate.
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070022dontaudit netd self:global_capability_class_set fsetid;
Stephen Smalleyd581b812014-02-24 13:00:59 -050023
Maciej Żenczykowski6450e002019-04-08 21:18:50 -070024# Allow netd to open /dev/tun, set it up and pass it to clatd
25allow netd tun_device:chr_file rw_file_perms;
26allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
27allow netd self:tun_socket create;
28
Jeff Vander Stoepbff98012016-05-16 21:12:17 -070029allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
Stephen Smalley16011322014-02-24 15:06:11 -050030allow netd self:netlink_route_socket nlmsg_write;
Jeff Vander Stoepbff98012016-05-16 21:12:17 -070031allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
32allow netd self:netlink_socket create_socket_perms_no_ioctl;
33allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
34allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
35allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
Nick Kralevichdbd28d92013-06-27 15:11:02 -070036allow netd shell_exec:file rx_file_perms;
37allow netd system_file:file x_file_perms;
Jeff Vander Stoepf627e552017-04-13 21:58:12 -070038not_full_treble(`allow netd vendor_file:file x_file_perms;')
Nick Kralevichdbd28d92013-06-27 15:11:02 -070039allow netd devpts:chr_file rw_file_perms;
40
Jeff Vander Stoepf8155a02020-07-10 09:10:31 +020041# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
42# exist, suppress the denial.
Nick Kralevich4a580cc2017-04-04 18:34:52 -070043allow netd system_file:file lock;
Jeff Vander Stoepf8155a02020-07-10 09:10:31 +020044dontaudit netd system_file:dir write;
Nick Kralevich4a580cc2017-04-04 18:34:52 -070045
Jeff Vander Stoepbdf2a9c2018-04-03 09:53:23 -070046# Allow netd to write to qtaguid ctrl file.
47# TODO: Add proper rules to prevent other process to access qtaguid_proc file
48# after migration complete
49allow netd proc_qtaguid_ctrl:file rw_file_perms;
Chenbo Fengcc781f72017-11-15 11:18:44 -080050# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
51allow netd qtaguid_device:chr_file r_file_perms;
Chenbo Feng185941a2017-10-24 14:40:53 -070052
Jeff Vander Stoep7a4af302018-04-10 12:47:48 -070053r_dir_file(netd, proc_net_type)
Nick Kralevichdbd28d92013-06-27 15:11:02 -070054# For /proc/sys/net/ipv[46]/route/flush.
Jeff Vander Stoep7a4af302018-04-10 12:47:48 -070055allow netd proc_net_type:file rw_file_perms;
Nick Kralevichdbd28d92013-06-27 15:11:02 -070056
Christopher Wiley97db27d2016-06-30 14:23:12 -070057# Enables PppController and interface enumeration (among others)
Tri Vo8dabc2c2017-10-01 15:53:01 -070058allow netd sysfs:dir r_dir_perms;
59r_dir_file(netd, sysfs_net)
60
Christopher Wiley97db27d2016-06-30 14:23:12 -070061# Allows setting interface MTU
Tri Vo8dabc2c2017-10-01 15:53:01 -070062allow netd sysfs_net:file w_file_perms;
Nick Kralevichdbd28d92013-06-27 15:11:02 -070063
dcashman17cfd3f2016-06-14 13:41:47 -070064# TODO: added to match above sysfs rule. Remove me?
65allow netd sysfs_usb:file write;
66
Marco Ballesio8f280b02020-05-27 14:10:39 -070067r_dir_file(netd, cgroup_v2)
Chenbo Feng7b571042018-12-04 17:57:27 -080068
Christopher Wiley82115682016-07-22 16:34:08 -070069# TODO: netd previously thought it needed these permissions to do WiFi related
70# work. However, after all the WiFi stuff is gone, we still need them.
71# Why?
Benjamin Gordon342362a2018-09-06 16:19:40 -060072allow netd self:global_capability_class_set { dac_override dac_read_search chown };
Nick Kralevichdbd28d92013-06-27 15:11:02 -070073
Sreeram Ramachandran65edb752014-07-07 22:04:57 -070074# Needed to update /data/misc/net/rt_tables
75allow netd net_data_file:file create_file_perms;
76allow netd net_data_file:dir rw_dir_perms;
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070077allow netd self:global_capability_class_set fowner;
Sreeram Ramachandran65edb752014-07-07 22:04:57 -070078
Lorenzo Colitti9273c1b2017-07-16 17:48:39 +090079# Needed to lock the iptables lock.
80allow netd system_file:file lock;
81
Nick Kralevichdbd28d92013-06-27 15:11:02 -070082# Allow netd to spawn dnsmasq in it's own domain
Ken Chen099da6d2023-05-16 15:54:31 +080083allow netd dnsmasq:process { sigkill signal };
Nick Kralevichdbd28d92013-06-27 15:11:02 -070084
Lorenzo Colitti24dcc8b2016-02-18 23:55:51 +090085# Allow netd to publish a binder service and make binder calls.
86binder_use(netd)
William Roberts606d2fd2017-01-19 13:23:52 -080087add_service(netd, netd_service)
Luke Huang524f25e2019-02-25 20:12:15 +080088add_service(netd, dnsresolver_service)
paulhu70b0a772021-12-09 11:49:23 +080089add_service(netd, mdns_service)
Lorenzo Colittif7bfd482016-04-19 08:05:44 +090090allow netd dumpstate:fifo_file { getattr write };
Lorenzo Colitti24dcc8b2016-02-18 23:55:51 +090091
92# Allow netd to call into the system server so it can check permissions.
93allow netd system_server:binder call;
Lorenzo Colitti5f376c12016-03-02 22:55:17 +090094allow netd permission_service:service_manager find;
Lorenzo Colitti24dcc8b2016-02-18 23:55:51 +090095
Michal Karpinski59afa242016-09-01 10:08:57 +010096# Allow netd to talk to the framework service which collects netd events.
97allow netd netd_listener_service:service_manager find;
Lorenzo Colitti71d6ddc2016-04-14 00:14:58 +090098
Sreeram Ramachandran56ecf4b2014-05-01 11:12:10 -070099# Allow netd to operate on sockets that are passed to it.
Nick Kralevich5251ad12017-02-27 09:21:11 -0800100allow netd netdomain:{
Yongqin Liu8a8d4ef2018-07-02 18:34:18 +0800101 icmp_socket
Nick Kralevich5251ad12017-02-27 09:21:11 -0800102 tcp_socket
103 udp_socket
104 rawip_socket
105 tun_socket
106} { read write getattr setattr getopt setopt };
Sreeram Ramachandran56ecf4b2014-05-01 11:12:10 -0700107allow netd netdomain:fd use;
108
Nathan Harold63a93152017-03-01 20:29:21 -0800109# give netd permission to read and write netlink xfrm
110allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
111
Dan Cashman91d398d2017-09-26 12:58:29 -0700112# Allow netd to register as hal server.
113add_hwservice(netd, system_net_netd_hwservice)
114hwbinder_use(netd)
Dan Cashman91d398d2017-09-26 12:58:29 -0700115
Devin Moore309a3552022-05-10 21:56:20 +0000116# AIDL hal server
117binder_call(system_net_netd_service, servicemanager)
118add_service(netd, system_net_netd_service)
119
Nick Kralevich9a198852013-07-12 21:28:41 -0700120###
121### Neverallow rules
122###
123### netd should NEVER do any of this
124
125# Block device access.
126neverallow netd dev_type:blk_file { read write };
127
Nick Kralevich9a198852013-07-12 21:28:41 -0700128# ptrace any other app
129neverallow netd { domain }:process ptrace;
130
131# Write to /system.
Steven Moreland9c2a5cf2023-05-17 23:44:30 +0000132neverallow netd system_file_type:dir_file_class_set write;
Nick Kralevich9a198852013-07-12 21:28:41 -0700133
134# Write to files in /data/data or system files on /data
Alan Stokesf8ad3392020-10-27 17:35:33 +0000135neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
Lorenzo Colitti9119f122016-03-02 22:57:34 +0900136
Remi NGUYEN VAN5f3ba922018-11-14 17:07:41 +0900137# only system_server, dumpstate and network stack app may find netd service
138neverallow {
139 domain
140 -system_server
141 -dumpstate
142 -network_stack
143 -netd
Luke Huang554b3342019-03-19 15:07:00 +0800144 -netutils_wrapper
Remi NGUYEN VAN5f3ba922018-11-14 17:07:41 +0900145} netd_service:service_manager find;
Jeff Vander Stoep07c650e2017-07-26 12:53:21 -0700146
Luke Huang524f25e2019-02-25 20:12:15 +0800147# only system_server, dumpstate and network stack app may find dnsresolver service
148neverallow {
149 domain
150 -system_server
151 -dumpstate
152 -network_stack
153 -netd
Luke Huang554b3342019-03-19 15:07:00 +0800154 -netutils_wrapper
Luke Huang524f25e2019-02-25 20:12:15 +0800155} dnsresolver_service:service_manager find;
156
paulhu70b0a772021-12-09 11:49:23 +0800157# only system_server, dumpstate and network stack app may find mdns service
158neverallow {
159 domain
160 -system_server
161 -dumpstate
162 -network_stack
163 -netd
164 -netutils_wrapper
165} mdns_service:service_manager find;
166
Jeff Vander Stoep07c650e2017-07-26 12:53:21 -0700167# apps may not interact with netd over binder.
Roshan Pius1086c7d2019-10-01 13:49:21 -0700168neverallow { appdomain -network_stack } netd:binder call;
169neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
Lorenzo Colitti5b3efd32017-07-11 09:43:19 +0900170
Tri Vo569e22e2018-03-16 16:08:31 -0700171# If an already existing file is opened with O_CREATE, the kernel might generate
172# a false report of a create denial. Silence these denials and make sure that
173# inappropriate permissions are not granted.
174neverallow netd proc_net:dir no_w_dir_perms;
175dontaudit netd proc_net:dir write;
176
177neverallow netd sysfs_net:dir no_w_dir_perms;
178dontaudit netd sysfs_net:dir write;
Maciej Żenczykowskid4a692f2020-01-24 04:50:04 -0800179
180# Netd should not have SYS_ADMIN privs.
181neverallow netd self:capability sys_admin;
182dontaudit netd self:capability sys_admin;
183
184# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
185# (things it requires should be built directly into the kernel)
Maciej Żenczykowskid4a692f2020-01-24 04:50:04 -0800186dontaudit netd self:capability sys_module;
187
Ken Chene49acfa2020-07-13 20:20:49 +0800188dontaudit netd appdomain:unix_stream_socket { read write };