4828dd0715
Latest versions now will have access to netd pid file restricted to
vendor components. Due to this, netmgrd will no longer be able to
detect netd restart and could hence go out of sync leading to
incorrect installation and flushing of rules and routes.
By introducing a netd HAL, netmgrd is able to talk to netd via a
HIDL. The 1.0 version of the HAL only publishes a service for this
particular usecase. Going forward this could be used to add support
for executing ndc commands, iptables and other system calls.
Fixes these denials -
audit(1502214635.963:60): avc: denied { call } for pid=1467
comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netd:s0
tclass=binder permissive=1
E SELinux : avc: denied { find } for
interface=android.system.net.netd::INetd pid=1480
scontext=u:r:netmgrd:s0
tcontext=u:object_r:system_net_netd_hwservice:s0
tclass=hwservice_manager permissive=0
CRs-Fixed: 2066870
Change-Id: Iedc97746964381b9673dc3b7c09e1d80d6efa551
99 lines
3.1 KiB
Plaintext
99 lines
3.1 KiB
Plaintext
type netmgrd, domain;
|
|
type netmgrd_exec, exec_type, vendor_file_type, file_type;
|
|
net_domain(netmgrd)
|
|
init_daemon_domain(netmgrd)
|
|
|
|
userdebug_or_eng(`
|
|
domain_auto_trans(shell, netmgrd_exec, netmgrd)
|
|
#domain_auto_trans(adbd, netmgrd_exec, netmgrd)
|
|
diag_use(netmgrd)
|
|
diag_use(netutils_wrapper)
|
|
')
|
|
|
|
#Allow files to be written during the operation of netmgrd
|
|
file_type_auto_trans(netmgrd, system_data_file, data_test_data_file)
|
|
|
|
#Allow netmgrd operations
|
|
allow netmgrd netmgrd:capability {
|
|
net_raw
|
|
net_admin
|
|
sys_module
|
|
fsetid
|
|
setgid
|
|
setuid
|
|
setpcap
|
|
};
|
|
|
|
#Allow logging
|
|
allow netmgrd smem_log_device:chr_file rw_file_perms;
|
|
allow netmgrd netmgrd_data_file:file create_file_perms;
|
|
allow netmgrd netmgrd_data_file:dir w_dir_perms;
|
|
|
|
#Allow netutils usage
|
|
use_netutils(netmgrd)
|
|
allow netutils_wrapper netmgrd_data_file:file rw_file_perms;
|
|
allow netutils_wrapper wcnss_service_exec:file rx_file_perms;
|
|
|
|
#Allow operations on different types of sockets
|
|
allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
|
|
allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
|
|
allow netmgrd netmgrd:netlink_socket { write read create bind };
|
|
allow netmgrd netmgrd:socket { create };
|
|
allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
|
|
allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
|
|
|
unix_socket_connect(netmgrd, cnd, cnd);
|
|
|
|
qmux_socket(netmgrd);
|
|
|
|
#Allow writing of ipv6 network properties
|
|
allow netmgrd { proc_net sysfs }:file rw_file_perms;
|
|
|
|
#Allow address configuration
|
|
#Allow setting of DNS and GW Android properties
|
|
set_prop(netmgrd, system_prop)
|
|
set_prop(netmgrd, net_radio_prop)
|
|
set_prop(netmgrd, xlat_prop)
|
|
|
|
#Allow execution of commands in shell
|
|
allow netmgrd system_file:file x_file_perms;
|
|
|
|
allow netmgrd self:socket create_socket_perms;
|
|
allow netmgrd sysfs_esoc:dir r_dir_perms;
|
|
|
|
#Allow communication with netd
|
|
#allow netmgrd netd_socket:sock_file w_file_perms;
|
|
#r_dir_file(netmgrd, net_data_file)
|
|
|
|
#Allow nemtgrd to use esoc api's to determine target
|
|
allow netmgrd sysfs_esoc:lnk_file r_file_perms;
|
|
|
|
r_dir_file(netmgrd, sysfs_ssr);
|
|
|
|
allow netmgrd sysfs:file w_file_perms;
|
|
allow netmgrd sysfs_data:file r_file_perms;
|
|
|
|
#Acquire lock on /system/etc/xtables.lock
|
|
#Required till netutils wrappers are available
|
|
not_full_treble(`allow netmgrd system_file:file lock;')
|
|
|
|
#Allow netmgrd to create netmgrd socket
|
|
allow netmgrd netmgrd_socket:dir create_dir_perms;
|
|
allow netmgrd netmgrd_socket:sock_file create_file_perms;
|
|
|
|
allow netmgrd { wcnss_service_exec vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
|
|
|
|
#Allow netmgrd to use wakelock
|
|
wakelock_use(netmgrd)
|
|
|
|
allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
|
|
allowxperm netmgrd self:udp_socket ioctl rmnet_sock_ioctls;
|
|
allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
|
|
|
|
#Allow netmgrd to use netd HAL via HIDL
|
|
get_prop(netmgrd, hwservicemanager_prop)
|
|
hwbinder_use(netmgrd)
|
|
binder_call(netmgrd, netd)
|
|
allow netmgrd system_net_netd_hwservice:hwservice_manager find;
|