blob: 55b62839a160ae274c701c36353d804451156ac4 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -05001# network manager
Jeff Vander Stoep76aab822017-05-15 13:19:03 -07002type netd, domain, mlstrustedsubject;
Nick Kralevich5e372712018-09-27 10:21:37 -07003type netd_exec, system_file_type, exec_type, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -05004
Nick Kralevichbc190502013-12-15 19:04:09 -08005net_domain(netd)
Jeff Vander Stoepbff98012016-05-16 21:12:17 -07006# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
7allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
Nick Kralevichbc190502013-12-15 19:04:09 -08008
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -07009r_dir_file(netd, cgroup)
Chenbo Feng566411e2018-01-02 15:31:18 -080010
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -070011allow netd system_server:fd use;
12
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070013allow netd self:global_capability_class_set { net_admin net_raw kill };
Stephen Smalleyd581b812014-02-24 13:00:59 -050014# Note: fsetid is deliberately not included above. fsetid checks are
15# triggered by chmod on a directory or file owned by a group other
16# than one of the groups assigned to the current process to see if
17# the setgid bit should be cleared, regardless of whether the setgid
18# bit was even set. We do not appear to truly need this capability
Nick Kralevich8d200812015-04-02 15:36:51 -070019# for netd to operate.
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070020dontaudit netd self:global_capability_class_set fsetid;
Stephen Smalleyd581b812014-02-24 13:00:59 -050021
Maciej Żenczykowski6450e002019-04-08 21:18:50 -070022# Allow netd to open /dev/tun, set it up and pass it to clatd
23allow netd tun_device:chr_file rw_file_perms;
24allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
25allow netd self:tun_socket create;
26
Jeff Vander Stoepbff98012016-05-16 21:12:17 -070027allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
Stephen Smalley16011322014-02-24 15:06:11 -050028allow netd self:netlink_route_socket nlmsg_write;
Jeff Vander Stoepbff98012016-05-16 21:12:17 -070029allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
30allow netd self:netlink_socket create_socket_perms_no_ioctl;
31allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
32allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
33allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
Nick Kralevichdbd28d92013-06-27 15:11:02 -070034allow netd shell_exec:file rx_file_perms;
35allow netd system_file:file x_file_perms;
Jeff Vander Stoepf627e552017-04-13 21:58:12 -070036not_full_treble(`allow netd vendor_file:file x_file_perms;')
Nick Kralevichdbd28d92013-06-27 15:11:02 -070037allow netd devpts:chr_file rw_file_perms;
38
Jeff Vander Stoepf8155a02020-07-10 09:10:31 +020039# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
40# exist, suppress the denial.
Nick Kralevich4a580cc2017-04-04 18:34:52 -070041allow netd system_file:file lock;
Jeff Vander Stoepf8155a02020-07-10 09:10:31 +020042dontaudit netd system_file:dir write;
Nick Kralevich4a580cc2017-04-04 18:34:52 -070043
Jeff Vander Stoepbdf2a9c2018-04-03 09:53:23 -070044# Allow netd to write to qtaguid ctrl file.
45# TODO: Add proper rules to prevent other process to access qtaguid_proc file
46# after migration complete
47allow netd proc_qtaguid_ctrl:file rw_file_perms;
Chenbo Fengcc781f72017-11-15 11:18:44 -080048# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
49allow netd qtaguid_device:chr_file r_file_perms;
Chenbo Feng185941a2017-10-24 14:40:53 -070050
Jeff Vander Stoep7a4af302018-04-10 12:47:48 -070051r_dir_file(netd, proc_net_type)
Nick Kralevichdbd28d92013-06-27 15:11:02 -070052# For /proc/sys/net/ipv[46]/route/flush.
Jeff Vander Stoep7a4af302018-04-10 12:47:48 -070053allow netd proc_net_type:file rw_file_perms;
Nick Kralevichdbd28d92013-06-27 15:11:02 -070054
Christopher Wiley97db27d2016-06-30 14:23:12 -070055# Enables PppController and interface enumeration (among others)
Tri Vo8dabc2c2017-10-01 15:53:01 -070056allow netd sysfs:dir r_dir_perms;
57r_dir_file(netd, sysfs_net)
58
Christopher Wiley97db27d2016-06-30 14:23:12 -070059# Allows setting interface MTU
Tri Vo8dabc2c2017-10-01 15:53:01 -070060allow netd sysfs_net:file w_file_perms;
Nick Kralevichdbd28d92013-06-27 15:11:02 -070061
dcashman17cfd3f2016-06-14 13:41:47 -070062# TODO: added to match above sysfs rule. Remove me?
63allow netd sysfs_usb:file write;
64
Chenbo Feng7b571042018-12-04 17:57:27 -080065r_dir_file(netd, cgroup_bpf)
66
Maciej Żenczykowski487fcb82019-04-08 21:34:53 -070067allow netd fs_bpf:dir search;
Maciej Żenczykowski49c73b02020-01-30 22:08:43 -080068allow netd fs_bpf:file { read write };
Chenbo Feng254ad0d2017-08-01 18:06:18 -070069
Christopher Wiley82115682016-07-22 16:34:08 -070070# TODO: netd previously thought it needed these permissions to do WiFi related
71# work. However, after all the WiFi stuff is gone, we still need them.
72# Why?
Benjamin Gordon342362a2018-09-06 16:19:40 -060073allow netd self:global_capability_class_set { dac_override dac_read_search chown };
Nick Kralevichdbd28d92013-06-27 15:11:02 -070074
Sreeram Ramachandran65edb752014-07-07 22:04:57 -070075# Needed to update /data/misc/net/rt_tables
76allow netd net_data_file:file create_file_perms;
77allow netd net_data_file:dir rw_dir_perms;
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070078allow netd self:global_capability_class_set fowner;
Sreeram Ramachandran65edb752014-07-07 22:04:57 -070079
Lorenzo Colitti9273c1b2017-07-16 17:48:39 +090080# Needed to lock the iptables lock.
81allow netd system_file:file lock;
82
Nick Kralevichdbd28d92013-06-27 15:11:02 -070083# Allow netd to spawn dnsmasq in it's own domain
Nick Kralevichdbd28d92013-06-27 15:11:02 -070084allow netd dnsmasq:process signal;
85
Lorenzo Colitti24dcc8b2016-02-18 23:55:51 +090086# Allow netd to publish a binder service and make binder calls.
87binder_use(netd)
William Roberts606d2fd2017-01-19 13:23:52 -080088add_service(netd, netd_service)
Luke Huang524f25e2019-02-25 20:12:15 +080089add_service(netd, dnsresolver_service)
Lorenzo Colittif7bfd482016-04-19 08:05:44 +090090allow netd dumpstate:fifo_file { getattr write };
Lorenzo Colitti24dcc8b2016-02-18 23:55:51 +090091
92# Allow netd to call into the system server so it can check permissions.
93allow netd system_server:binder call;
Lorenzo Colitti5f376c12016-03-02 22:55:17 +090094allow netd permission_service:service_manager find;
Lorenzo Colitti24dcc8b2016-02-18 23:55:51 +090095
Michal Karpinski59afa242016-09-01 10:08:57 +010096# Allow netd to talk to the framework service which collects netd events.
97allow netd netd_listener_service:service_manager find;
Lorenzo Colitti71d6ddc2016-04-14 00:14:58 +090098
Sreeram Ramachandran56ecf4b2014-05-01 11:12:10 -070099# Allow netd to operate on sockets that are passed to it.
Nick Kralevich5251ad12017-02-27 09:21:11 -0800100allow netd netdomain:{
Yongqin Liu8a8d4ef2018-07-02 18:34:18 +0800101 icmp_socket
Nick Kralevich5251ad12017-02-27 09:21:11 -0800102 tcp_socket
103 udp_socket
104 rawip_socket
105 tun_socket
106} { read write getattr setattr getopt setopt };
Sreeram Ramachandran56ecf4b2014-05-01 11:12:10 -0700107allow netd netdomain:fd use;
108
Nathan Harold63a93152017-03-01 20:29:21 -0800109# give netd permission to read and write netlink xfrm
110allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
111
Dan Cashman91d398d2017-09-26 12:58:29 -0700112# Allow netd to register as hal server.
113add_hwservice(netd, system_net_netd_hwservice)
114hwbinder_use(netd)
Dan Cashman91d398d2017-09-26 12:58:29 -0700115
Nick Kralevich9a198852013-07-12 21:28:41 -0700116###
117### Neverallow rules
118###
119### netd should NEVER do any of this
120
121# Block device access.
122neverallow netd dev_type:blk_file { read write };
123
Nick Kralevich9a198852013-07-12 21:28:41 -0700124# ptrace any other app
125neverallow netd { domain }:process ptrace;
126
127# Write to /system.
128neverallow netd system_file:dir_file_class_set write;
129
130# Write to files in /data/data or system files on /data
Nick Kralevich23c9d912018-08-02 15:54:23 -0700131neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
Lorenzo Colitti9119f122016-03-02 22:57:34 +0900132
Remi NGUYEN VAN5f3ba922018-11-14 17:07:41 +0900133# only system_server, dumpstate and network stack app may find netd service
134neverallow {
135 domain
136 -system_server
137 -dumpstate
138 -network_stack
139 -netd
Luke Huang554b3342019-03-19 15:07:00 +0800140 -netutils_wrapper
Remi NGUYEN VAN5f3ba922018-11-14 17:07:41 +0900141} netd_service:service_manager find;
Jeff Vander Stoep07c650e2017-07-26 12:53:21 -0700142
Luke Huang524f25e2019-02-25 20:12:15 +0800143# only system_server, dumpstate and network stack app may find dnsresolver service
144neverallow {
145 domain
146 -system_server
147 -dumpstate
148 -network_stack
149 -netd
Luke Huang554b3342019-03-19 15:07:00 +0800150 -netutils_wrapper
Luke Huang524f25e2019-02-25 20:12:15 +0800151} dnsresolver_service:service_manager find;
152
Jeff Vander Stoep07c650e2017-07-26 12:53:21 -0700153# apps may not interact with netd over binder.
Roshan Pius1086c7d2019-10-01 13:49:21 -0700154neverallow { appdomain -network_stack } netd:binder call;
155neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
Lorenzo Colitti5b3efd32017-07-11 09:43:19 +0900156
Tri Vo569e22e2018-03-16 16:08:31 -0700157# If an already existing file is opened with O_CREATE, the kernel might generate
158# a false report of a create denial. Silence these denials and make sure that
159# inappropriate permissions are not granted.
160neverallow netd proc_net:dir no_w_dir_perms;
161dontaudit netd proc_net:dir write;
162
163neverallow netd sysfs_net:dir no_w_dir_perms;
164dontaudit netd sysfs_net:dir write;
Maciej Żenczykowskid4a692f2020-01-24 04:50:04 -0800165
166# Netd should not have SYS_ADMIN privs.
167neverallow netd self:capability sys_admin;
168dontaudit netd self:capability sys_admin;
169
170# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
171# (things it requires should be built directly into the kernel)
Maciej Żenczykowskid4a692f2020-01-24 04:50:04 -0800172dontaudit netd self:capability sys_module;
173
Maciej Żenczykowskid4a692f2020-01-24 04:50:04 -0800174dontaudit netd kernel:system module_request;
Ken Chene49acfa2020-07-13 20:20:49 +0800175
176dontaudit netd appdomain:unix_stream_socket { read write };