Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / ff43be2ca9dcc80711fc14e0bfb847951f677243^! / . / microdroid / sepolicy / system / private / netd.te
commitff43be2ca9dcc80711fc14e0bfb847951f677243[log] [tgz]
authorInseob Kim <inseob@google.com>Mon Jun 07 16:56:56 2021 +0900
committerInseob Kim <inseob@google.com>Mon Jun 07 18:44:35 2021 +0900
treebf5e839c17d58df2298c811dbf18624f24b48133
parentb50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff] [blame]
Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

diff --git a/microdroid/sepolicy/system/private/netd.te b/microdroid/sepolicy/system/private/netd.te
new file mode 100644
index 0000000..670a4bf
--- /dev/null
+++ b/microdroid/sepolicy/system/private/netd.te

@@ -0,0 +1,44 @@
+typeattribute netd coredomain;
+
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain and kill it
+domain_auto_trans(netd, clatd_exec, clatd)
+allow netd clatd:process signal;
+
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
+# the map created by bpfloader
+allow netd bpfloader:bpf { prog_run map_read map_write };
+
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow netd self:key_socket create;
+
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
+get_prop(netd, adbd_config_prop)
+get_prop(netd, bpf_progs_loaded_prop)
+get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
+
+# Allow netd to write to statsd.
+unix_socket_send(netd, statsdw, statsd)
+
+# Allow netd to send callbacks to network_stack
+binder_call(netd, network_stack)
+
+# Allow netd to send dump info to dumpstate
+allow netd dumpstate:fd use;
+allow netd dumpstate:fifo_file { getattr write };
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;