1# network manager 2type netd, domain, domain_deprecated, mlstrustedsubject; 3type netd_exec, exec_type, file_type; 4 5init_daemon_domain(netd) 6net_domain(netd) 7 8allow netd self:capability { net_admin net_raw kill }; 9# Note: fsetid is deliberately not included above. fsetid checks are 10# triggered by chmod on a directory or file owned by a group other 11# than one of the groups assigned to the current process to see if 12# the setgid bit should be cleared, regardless of whether the setgid 13# bit was even set. We do not appear to truly need this capability 14# for netd to operate. 15dontaudit netd self:capability fsetid; 16 17allow netd self:netlink_kobject_uevent_socket create_socket_perms; 18allow netd self:netlink_route_socket nlmsg_write; 19allow netd self:netlink_nflog_socket create_socket_perms; 20allow netd self:netlink_socket create_socket_perms; 21allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write }; 22allow netd self:netlink_generic_socket create_socket_perms; 23allow netd self:netlink_netfilter_socket create_socket_perms; 24allow netd shell_exec:file rx_file_perms; 25allow netd system_file:file x_file_perms; 26allow netd devpts:chr_file rw_file_perms; 27 28# For /proc/sys/net/ipv[46]/route/flush. 29allow netd proc_net:file write; 30 31# For /sys/modules/bcmdhd/parameters/firmware_path 32# XXX Split into its own type. 33allow netd sysfs:file write; 34 35# TODO: added to match above sysfs rule. Remove me? 36allow netd sysfs_usb:file write; 37 38# Needed to update /data/misc/wifi/hostapd.conf 39# TODO: See what we can do to reduce the need for 40# these capabilities 41allow netd self:capability { dac_override chown fowner }; 42allow netd wifi_data_file:file create_file_perms; 43allow netd wifi_data_file:dir rw_dir_perms; 44 45# Needed to update /data/misc/net/rt_tables 46allow netd net_data_file:file create_file_perms; 47allow netd net_data_file:dir rw_dir_perms; 48 49# Allow netd to spawn hostapd in it's own domain 50domain_auto_trans(netd, hostapd_exec, hostapd) 51allow netd hostapd:process signal; 52 53# Allow netd to spawn dnsmasq in it's own domain 54domain_auto_trans(netd, dnsmasq_exec, dnsmasq) 55allow netd dnsmasq:process signal; 56 57# Allow netd to start clatd in its own domain 58domain_auto_trans(netd, clatd_exec, clatd) 59allow netd clatd:process signal; 60 61set_prop(netd, ctl_mdnsd_prop) 62 63# Allow netd to publish a binder service and make binder calls. 64binder_use(netd) 65allow netd netd_service:service_manager add; 66allow netd dumpstate:fifo_file { getattr write }; 67 68# Allow netd to call into the system server so it can check permissions. 69allow netd system_server:binder call; 70allow netd permission_service:service_manager find; 71 72# Allow netd to talk to the framework service which collects DNS query metrics. 73allow netd dns_listener_service:service_manager find; 74 75# Allow netd to operate on sockets that are passed to it. 76allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; 77allow netd netdomain:fd use; 78 79 80### 81### Neverallow rules 82### 83### netd should NEVER do any of this 84 85# Block device access. 86neverallow netd dev_type:blk_file { read write }; 87 88# ptrace any other app 89neverallow netd { domain }:process ptrace; 90 91# Write to /system. 92neverallow netd system_file:dir_file_class_set write; 93 94# Write to files in /data/data or system files on /data 95neverallow netd { app_data_file system_data_file }:dir_file_class_set write; 96 97# only system_server and dumpstate may interact with netd over binder 98neverallow { domain -system_server -dumpstate } netd_service:service_manager find; 99neverallow { domain -system_server -dumpstate } netd:binder call; 100neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call; 101