commit 2660633d3414379135ec893cd266f08dbba24700
author Jiyong Park <jiyong@google.com> Tue Dec 06 22:35:11 2022 +0900
committer Jiyong Park <jiyong@google.com> Fri Dec 09 14:31:40 2022 +0900
tree 755a0d7f3c5077cc3cfe532ea0d1bf6190278c47
parent c99fde91781721cd82961630cf7082908faa1598

Remove netdomain from Microdroid

Nothing in Microdroid uses tcp/udp/rawip sockets. Removing netdomain
attribute for the capability. Note that some processes can use
networking via vsock.

Bug: N/A
Test: watch TH

Change-Id: Id10861d0520770578503dd93b0c72c3d6be993e8

microdroid/system/private/net.te

diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;

microdroid/system/public/attributes

diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 419caa1..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -120,9 +120,6 @@
 attribute vendor_public_property_type;
 expandattribute vendor_public_property_type false;
 
-# All domains used for apps with network access.
-attribute netdomain;
-
 # All domains used for apps with bluetooth access.
 attribute bluetoothdomain;
 

microdroid/system/public/shell.te

diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index bde9cd9..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,9 +2,6 @@
 type shell, domain;
 type shell_exec, system_file_type, exec_type, file_type;
 
-# Create and use network sockets.
-net_domain(shell)
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;
 

microdroid/system/public/su.te

diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index 152de51..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -6,8 +6,6 @@
 type su, domain;
 
 # Add su to various domains
-net_domain(su)
-
 dontaudit su self:capability_class_set *;
 dontaudit su self:capability2 *;
 dontaudit su kernel:security *;