1# network manager 2type netd, domain; 3type netd_exec, exec_type, file_type; 4 5init_daemon_domain(netd) 6net_domain(netd) 7 8allow netd self:capability { net_admin net_raw kill }; 9# Note: fsetid is deliberately not included above. fsetid checks are 10# triggered by chmod on a directory or file owned by a group other 11# than one of the groups assigned to the current process to see if 12# the setgid bit should be cleared, regardless of whether the setgid 13# bit was even set. We do not appear to truly need this capability 14# for netd to operate. Uncomment the dontaudit rule below after 15# sufficient testing of the fsetid removal. 16# dontaudit netd self:capability fsetid; 17 18allow netd self:netlink_kobject_uevent_socket create_socket_perms; 19allow netd self:netlink_route_socket nlmsg_write; 20allow netd self:netlink_nflog_socket create_socket_perms; 21allow netd shell_exec:file rx_file_perms; 22allow netd system_file:file x_file_perms; 23allow netd devpts:chr_file rw_file_perms; 24 25# For /proc/sys/net/ipv[46]/route/flush. 26allow netd proc_net:file write; 27 28# For /sys/modules/bcmdhd/parameters/firmware_path 29# XXX Split into its own type. 30allow netd sysfs:file write; 31 32# Set dhcp lease for PAN connection 33unix_socket_connect(netd, property, init) 34allow netd dhcp_prop:property_service set; 35allow netd system_prop:property_service set; 36auditallow netd system_prop:property_service set; 37 38# Connect to PAN 39domain_auto_trans(netd, dhcp_exec, dhcp) 40allow netd dhcp:process signal; 41 42# Needed to update /data/misc/wifi/hostapd.conf 43# TODO: See what we can do to reduce the need for 44# these capabilities 45allow netd self:capability { dac_override chown fowner }; 46allow netd wifi_data_file:file create_file_perms; 47allow netd wifi_data_file:dir rw_dir_perms; 48 49# Needed to update /data/misc/net/rt_tables 50allow netd net_data_file:file create_file_perms; 51allow netd net_data_file:dir rw_dir_perms; 52 53# Allow netd to spawn hostapd in it's own domain 54domain_auto_trans(netd, hostapd_exec, hostapd) 55allow netd hostapd:process signal; 56 57# Allow netd to spawn dnsmasq in it's own domain 58domain_auto_trans(netd, dnsmasq_exec, dnsmasq) 59allow netd dnsmasq:process signal; 60 61# Allow netd to start clatd in its own domain 62domain_auto_trans(netd, clatd_exec, clatd) 63allow netd clatd:process signal; 64 65allow netd ctl_mdnsd_prop:property_service set; 66 67# Allow netd to operate on sockets that are passed to it. 68allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; 69allow netd netdomain:fd use; 70 71### 72### Neverallow rules 73### 74### netd should NEVER do any of this 75 76# Block device access. 77neverallow netd dev_type:blk_file { read write }; 78 79# ptrace any other app 80neverallow netd { domain }:process ptrace; 81 82# Write to /system. 83neverallow netd system_file:dir_file_class_set write; 84 85# Write to files in /data/data or system files on /data 86neverallow netd { app_data_file system_data_file }:dir_file_class_set write; 87