1# network manager 2type netd, domain, mlstrustedsubject; 3type netd_exec, exec_type, file_type; 4 5init_daemon_domain(netd) 6net_domain(netd) 7 8allow netd self:capability { net_admin net_raw kill }; 9# Note: fsetid is deliberately not included above. fsetid checks are 10# triggered by chmod on a directory or file owned by a group other 11# than one of the groups assigned to the current process to see if 12# the setgid bit should be cleared, regardless of whether the setgid 13# bit was even set. We do not appear to truly need this capability 14# for netd to operate. 15dontaudit netd self:capability fsetid; 16 17allow netd self:netlink_kobject_uevent_socket create_socket_perms; 18allow netd self:netlink_route_socket nlmsg_write; 19allow netd self:netlink_nflog_socket create_socket_perms; 20allow netd self:netlink_socket create_socket_perms; 21allow netd shell_exec:file rx_file_perms; 22allow netd system_file:file x_file_perms; 23allow netd devpts:chr_file rw_file_perms; 24 25# For /proc/sys/net/ipv[46]/route/flush. 26allow netd proc_net:file write; 27 28# For /sys/modules/bcmdhd/parameters/firmware_path 29# XXX Split into its own type. 30allow netd sysfs:file write; 31 32# Set dhcp lease for PAN connection 33set_prop(netd, dhcp_prop) 34set_prop(netd, system_prop) 35auditallow netd system_prop:property_service set; 36 37# Connect to PAN 38domain_auto_trans(netd, dhcp_exec, dhcp) 39allow netd dhcp:process signal; 40 41# Needed to update /data/misc/wifi/hostapd.conf 42# TODO: See what we can do to reduce the need for 43# these capabilities 44allow netd self:capability { dac_override chown fowner }; 45allow netd wifi_data_file:file create_file_perms; 46allow netd wifi_data_file:dir rw_dir_perms; 47 48# Needed to update /data/misc/net/rt_tables 49allow netd net_data_file:file create_file_perms; 50allow netd net_data_file:dir rw_dir_perms; 51 52# Allow netd to spawn hostapd in it's own domain 53domain_auto_trans(netd, hostapd_exec, hostapd) 54allow netd hostapd:process signal; 55 56# Allow netd to spawn dnsmasq in it's own domain 57domain_auto_trans(netd, dnsmasq_exec, dnsmasq) 58allow netd dnsmasq:process signal; 59 60# Allow netd to start clatd in its own domain 61domain_auto_trans(netd, clatd_exec, clatd) 62allow netd clatd:process signal; 63 64set_prop(netd, ctl_mdnsd_prop) 65 66# Allow netd to operate on sockets that are passed to it. 67allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; 68allow netd netdomain:fd use; 69 70### 71### Neverallow rules 72### 73### netd should NEVER do any of this 74 75# Block device access. 76neverallow netd dev_type:blk_file { read write }; 77 78# ptrace any other app 79neverallow netd { domain }:process ptrace; 80 81# Write to /system. 82neverallow netd system_file:dir_file_class_set write; 83 84# Write to files in /data/data or system files on /data 85neverallow netd { app_data_file system_data_file }:dir_file_class_set write; 86