commit cfdea5f4f3574385d739c1269e6c25783c109857
author Yuyang Huang <yuyanghuang@google.com> Wed Jan 18 16:52:43 2023 +0900
committer Yuyang Huang <yuyanghuang@google.com> Fri Jan 20 15:25:46 2023 +0900
tree 4ab672207b02c6f596efc4695971e4b255875703
parent e6945d00463ba1c55b4cfd560757b28536f6fba1

Blocks untrusted apps to access /dev/socket/mdnsd from U

The untrusted apps should not directly access /dev/socket/mdnsd since
API level 34 (U). Only adbd and netd should remain to have access to
/dev/socket/mdnsd. For untrusted apps running with API level 33-, they
still have access to /dev/socket/mdnsd for backward compatibility.

Bug: 265364111
Test: Manual test
Change-Id: Id37998fcb9379fda6917782b0eaee29cd3c51525

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6231623..0579740 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -265,3 +265,26 @@
   -mediaprovider
   -mediaprovider_app
 } { userdebug_or_eng_prop }:file read;
+
+
+# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
+# used to communicate to the mdnsd responder. The mdnsd responder will be
+# replaced by a java implementation which is integrated into the system server.
+# For untrusted apps running with API level 33-, they still have access to
+# /dev/socket/mdnsd for backward compatibility.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+  -untrusted_app_32
+} mdnsd_socket:sock_file write;
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+  -untrusted_app_32
+} mdnsd:unix_stream_socket connectto;