Merge "Add sepolicy for resolver service"
diff --git a/private/atrace.te b/private/atrace.te
index 9cbe71a..7979fa1 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -40,6 +40,7 @@
-incident_service
-iorapd_service
-netd_service
+ -dnsresolver_service
-stats_service
-dumpstate_service
-installd_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index e0898b2..f8efdb2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -40,6 +40,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
+ dnsresolver_service
e2fs
e2fs_exec
exfat
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5d872b9..1129259 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -38,6 +38,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
+ dnsresolver_service
exfat
exported2_config_prop
exported2_default_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index fd42fff..8e0a7ab 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -41,6 +41,7 @@
device_config_runtime_native_prop
device_config_media_native_prop
device_config_service
+ dnsresolver_service
dynamic_android_service
face_service
face_vendor_data_file
diff --git a/private/network_stack.te b/private/network_stack.te
index 4b88756..4435a7a 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -21,6 +21,7 @@
allow network_stack self:netlink_route_socket nlmsg_write;
allow network_stack app_api_service:service_manager find;
+allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index ecf9199..baead30 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -50,6 +50,7 @@
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
+dnsresolver u:object_r:dnsresolver_service:s0
color_display u:object_r:color_display_service:s0
netd_listener u:object_r:netd_listener_service:s0
network_watchlist u:object_r:network_watchlist_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 3f0d335..27e8ef1 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@
allow system_app {
service_manager_type
-apex_service
+ -dnsresolver_service
-dumpstate_service
-installd_service
-iorapd_service
@@ -85,6 +86,7 @@
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
+ dnsresolver_service
dumpstate_service
installd_service
iorapd_service
diff --git a/private/system_server.te b/private/system_server.te
index 7540d56..db51da3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -692,6 +692,7 @@
allow system_server audioserver_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
+allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index a3e6464..859cb65 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -85,6 +85,7 @@
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
add_service(netd, netd_service)
+add_service(netd, dnsresolver_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -139,6 +140,15 @@
-netd
} netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find dnsresolver service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+} dnsresolver_service:service_manager find;
+
# only netd can create the bpf maps
neverallow { domain -netd } netd:bpf { map_create };
diff --git a/public/service.te b/public/service.te
index c5bd84d..852e3df 100644
--- a/public/service.te
+++ b/public/service.te
@@ -4,6 +4,7 @@
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
+type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
type fingerprintd_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 4c76059..4f6bda5 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -110,6 +110,7 @@
allow shell {
service_manager_type
-apex_service
+ -dnsresolver_service
-gatekeeper_service
-incident_service
-installd_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 0bce885..7ded147 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -8,6 +8,7 @@
allow traceur_app {
service_manager_type
-apex_service
+ -dnsresolver_service
-gatekeeper_service
-incident_service
-installd_service