commit 554b334d7be6f90fc55c62936625bb544853168a
author Luke Huang <huangluke@google.com> Tue Mar 19 15:07:00 2019 +0800
committer Luke Huang <huangluke@google.com> Wed Apr 03 03:09:37 2019 +0000
tree 87df7750a77e38090596cd815722b871912c13f3
parent 61f28b33a477ce3be0e086753bf8e1c3b00e9f53

Sepolicy for netutils_wrapper to use binder call

Bug: 65862741
Test: built, flashed, booted
Change-Id: I346520c47b74fde5137ad7c777f0a9eca50a06d7

private/netutils_wrapper.te

diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index a773f96..ca3b515 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -15,8 +15,10 @@
 allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
 
 # For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+allow netutils_wrapper netd_service:service_manager find;
+allow netutils_wrapper dnsresolver_service:service_manager find;
+binder_use(netutils_wrapper);
+binder_call(netutils_wrapper, netd);
 
 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index 859cb65..c4a9136 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -138,6 +138,7 @@
     -dumpstate
     -network_stack
     -netd
+    -netutils_wrapper
 } netd_service:service_manager find;
 
 # only system_server, dumpstate and network stack app may find dnsresolver service
@@ -147,6 +148,7 @@
     -dumpstate
     -network_stack
     -netd
+    -netutils_wrapper
 } dnsresolver_service:service_manager find;
 
 # only netd can create the bpf maps