sepolicy changes for network stack app
The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.
Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 588c138..8ddefa1 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -121,6 +121,7 @@
mnt_product_file
mnt_vendor_file
netd_stable_secret_prop
+ network_stack
network_watchlist_data_file
network_watchlist_service
overlayfs_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e63d226..994fb07 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -109,6 +109,7 @@
metadata_file
mnt_product_file
mnt_vendor_file
+ network_stack
network_watchlist_data_file
network_watchlist_service
overlayfs_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222f381..1131cbd 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -62,6 +62,7 @@
mediaswcodec_exec
mediaswcodec_tmpfs
mnt_product_file
+ network_stack
overlayfs_file
permissionmgr_service
recovery_socket
diff --git a/private/network_stack.te b/private/network_stack.te
new file mode 100644
index 0000000..d250ebd
--- /dev/null
+++ b/private/network_stack.te
@@ -0,0 +1,25 @@
+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 55391ea..37f7872 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,6 +106,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file