commit 24dcc8b1ce38079cba9c0266389f88699cae88c7
author Lorenzo Colitti <lorenzo@google.com> Thu Feb 18 23:55:51 2016 +0900
committer Lorenzo Colitti <lorenzo@google.com> Fri Feb 19 00:22:37 2016 +0900
tree 1c6265eb2034536a0c7679a55f6698eaf9c1544c
parent db8d34495ff9dae394e8e5b4ac813a057f89a52f

Allow the framework to communicate with netd via a binder service

This will allow us to provide a better interface between Java
services (e.g., ConnectivityService) and netd than the current
FrameworkListener / NativeDaemonConnector interface which uses
text strings over a Unix socket.

Bug: 27239233
Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af

netd.te

diff --git a/netd.te b/netd.te
index 2c0fb15..e187c1c 100644
--- a/netd.te
+++ b/netd.te
@@ -64,10 +64,19 @@
 
 set_prop(netd, ctl_mdnsd_prop)
 
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+binder_service(netd)
+allow netd netd_service:service_manager add;
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
 allow netd netdomain:fd use;
 
+
 ###
 ### Neverallow rules
 ###

service.te

diff --git a/service.te b/service.te
index 34bd50a..0e6046a 100644
--- a/service.te
+++ b/service.te
@@ -12,6 +12,7 @@
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
+type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;

service_contexts

diff --git a/service_contexts b/service_contexts
index 39e004c..c9be473 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,6 +2,7 @@
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
+android.net.INetd                         u:object_r:netd_service:s0
 android.os.UpdateEngineService            u:object_r:update_engine_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0

system_server.te

diff --git a/system_server.te b/system_server.te
index 2e131b3..b38ea00 100644
--- a/system_server.te
+++ b/system_server.te
@@ -136,6 +136,7 @@
 binder_call(system_server, fingerprintd)
 binder_call(system_server, { appdomain autoplay_app })
 binder_call(system_server, dumpstate)
+binder_call(system_server, netd)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
@@ -396,6 +397,7 @@
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };