1# network manager
2type netd, domain, mlstrustedsubject;
3type netd_exec, exec_type, file_type;
4
5net_domain(netd)
6# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
7allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
8
9r_dir_file(netd, cgroup)
10
11allow netd system_server:fd use;
12
13allow netd self:global_capability_class_set { net_admin net_raw kill };
14# Note: fsetid is deliberately not included above. fsetid checks are
15# triggered by chmod on a directory or file owned by a group other
16# than one of the groups assigned to the current process to see if
17# the setgid bit should be cleared, regardless of whether the setgid
18# bit was even set.  We do not appear to truly need this capability
19# for netd to operate.
20dontaudit netd self:global_capability_class_set fsetid;
21
22allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
23allow netd self:netlink_route_socket nlmsg_write;
24allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
25allow netd self:netlink_socket create_socket_perms_no_ioctl;
26allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
27allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
28allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
29allow netd shell_exec:file rx_file_perms;
30allow netd system_file:file x_file_perms;
31not_full_treble(`allow netd vendor_file:file x_file_perms;')
32allow netd devpts:chr_file rw_file_perms;
33
34# Acquire advisory lock on /system/etc/xtables.lock
35allow netd system_file:file lock;
36
37# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
38# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
39#       complete
40allow netd qtaguid_proc:file rw_file_perms;
41# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
42allow netd qtaguid_device:chr_file r_file_perms;
43
44r_dir_file(netd, proc_net)
45# For /proc/sys/net/ipv[46]/route/flush.
46allow netd proc_net:file rw_file_perms;
47
48# Enables PppController and interface enumeration (among others)
49allow netd sysfs:dir r_dir_perms;
50r_dir_file(netd, sysfs_net)
51
52# Allows setting interface MTU
53allow netd sysfs_net:file w_file_perms;
54
55# TODO: added to match above sysfs rule. Remove me?
56allow netd sysfs_usb:file write;
57
58allow netd fs_bpf:dir  create_dir_perms;
59allow netd fs_bpf:file create_file_perms;
60
61# TODO: netd previously thought it needed these permissions to do WiFi related
62#       work.  However, after all the WiFi stuff is gone, we still need them.
63#       Why?
64allow netd self:global_capability_class_set { dac_override chown };
65
66# Needed to update /data/misc/net/rt_tables
67allow netd net_data_file:file create_file_perms;
68allow netd net_data_file:dir rw_dir_perms;
69allow netd self:global_capability_class_set fowner;
70
71# Needed to lock the iptables lock.
72allow netd system_file:file lock;
73
74# Allow netd to spawn dnsmasq in it's own domain
75allow netd dnsmasq:process signal;
76
77# Allow netd to start clatd in its own domain
78allow netd clatd:process signal;
79
80set_prop(netd, ctl_mdnsd_prop)
81set_prop(netd, netd_stable_secret_prop)
82
83# Allow netd to publish a binder service and make binder calls.
84binder_use(netd)
85add_service(netd, netd_service)
86allow netd dumpstate:fifo_file  { getattr write };
87
88# Allow netd to call into the system server so it can check permissions.
89allow netd system_server:binder call;
90allow netd permission_service:service_manager find;
91
92# Allow netd to talk to the framework service which collects netd events.
93allow netd netd_listener_service:service_manager find;
94
95# Allow netd to operate on sockets that are passed to it.
96allow netd netdomain:{
97  tcp_socket
98  udp_socket
99  rawip_socket
100  tun_socket
101} { read write getattr setattr getopt setopt };
102allow netd netdomain:fd use;
103
104# give netd permission to read and write netlink xfrm
105allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
106
107# give netd permission to use eBPF functionalities
108allow netd self:bpf { map_create map_read map_write };
109
110# Allow netd to register as hal server.
111add_hwservice(netd, system_net_netd_hwservice)
112hwbinder_use(netd)
113get_prop(netd, hwservicemanager_prop)
114
115###
116### Neverallow rules
117###
118### netd should NEVER do any of this
119
120# Block device access.
121neverallow netd dev_type:blk_file { read write };
122
123# ptrace any other app
124neverallow netd { domain }:process ptrace;
125
126# Write to /system.
127neverallow netd system_file:dir_file_class_set write;
128
129# Write to files in /data/data or system files on /data
130neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
131
132# only system_server and dumpstate may find netd service
133neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
134
135# only netd can create the bpf maps
136neverallow { domain -netd } netd:bpf { map_create };
137
138# apps may not interact with netd over binder.
139neverallow appdomain netd:binder call;
140neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
141
142# persist.netd.stable_secret contains RFC 7217 secret key which should never be
143# leaked to other processes. Make sure it never leaks.
144neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
145
146# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
147# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
148neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
149