commit 38bbf3016d54d8c7b86b1c38739d718d519a7616
author Jeffrey Vander Stoep <jeffv@google.com> Mon May 06 22:26:19 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon May 06 22:26:19 2019 +0000
tree 52d85d46fe211cc76d9696f26fbd9d9999ad2ff9
parent 6450e0038bb5d0b900035a729e84a9ff1a5b0bb3
parent 564e292ae641271adba61fc2d7b4081768393a84

Merge "Add mechanism for granting permissions to old vendor images"

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index d9b29ce..00d4c79 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -17,8 +17,8 @@
 ###
 ### Neverallow rules
 ###
-neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
+neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps

public/dnsmasq.te

diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 7b227fb..d189c89 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -20,6 +20,6 @@
 allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
 allow dnsmasq netd:netlink_nflog_socket { read write };
 allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { read write };
+allow dnsmasq netd:unix_stream_socket { getattr read write };
 allow dnsmasq netd:unix_dgram_socket { read write };
 allow dnsmasq netd:udp_socket { read write };

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index c4a9136..c8877b2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -19,6 +19,11 @@
 # for netd to operate.
 dontaudit netd self:global_capability_class_set fsetid;
 
+# Allow netd to open /dev/tun, set it up and pass it to clatd
+allow netd tun_device:chr_file rw_file_perms;
+allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow netd self:tun_socket create;
+
 allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_route_socket nlmsg_write;
 allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
@@ -57,8 +62,8 @@
 
 r_dir_file(netd, cgroup_bpf)
 
-allow netd fs_bpf:dir  create_dir_perms;
-allow netd fs_bpf:file create_file_perms;
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write setattr };
 
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
@@ -151,9 +156,6 @@
     -netutils_wrapper
 } dnsresolver_service:service_manager find;
 
-# only netd can create the bpf maps
-neverallow { domain -netd } netd:bpf { map_create };
-
 # apps may not interact with netd over binder.
 neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;