netd: restrict netd binder access to system_server
neverallow access to other domains.
Bug: 27239233
Change-Id: I503d1be7308d0229db1cbe52cd511f7f40afa987
diff --git a/domain.te b/domain.te
index 9d377e5..6aa69ad 100644
--- a/domain.te
+++ b/domain.te
@@ -38,7 +38,8 @@
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
- binder_call({ domain -init }, su)
+ allow { domain -init } su:binder { call transfer };
+ allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
diff --git a/dumpstate.te b/dumpstate.te
index f7a84f6..ce09913 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -113,7 +113,7 @@
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/netd.te b/netd.te
index 98a1a2a..e3df2ba 100644
--- a/netd.te
+++ b/netd.te
@@ -57,7 +57,6 @@
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
-binder_service(netd)
allow netd netd_service:service_manager add;
# Allow netd to call into the system server so it can check permissions.
@@ -84,3 +83,8 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server may interact with netd over binder
+neverallow { domain -system_server } netd_service:service_manager find;
+neverallow { domain -system_server } netd:binder call;
+neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/shell.te b/shell.te
index 8076d46..d1c385b 100644
--- a/shell.te
+++ b/shell.te
@@ -83,7 +83,7 @@
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
diff --git a/system_app.te b/system_app.te
index 5e66acd..a07a9b9 100644
--- a/system_app.te
+++ b/system_app.te
@@ -43,7 +43,7 @@
allow system_app asec_apk_file:file r_file_perms;
allow system_app servicemanager:service_manager list;
-allow system_app service_manager_type:service_manager find;
+allow system_app { service_manager_type -netd_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state