commit eaa18ce0aadfb89bececcc74dcc1f53c8e7d72e6
author RafayKamran <rafaykamran@google.com> Wed Oct 27 14:12:44 2021 +0000
committer Rafay Kamran <rafaykamran@google.com> Mon Dec 06 14:36:08 2021 +0000
tree 10d9cd23d96bf686487142953fb8ce21f4bf7ddc
parent 7bcdf464defcb5ba9f503b7fc64eadf1ee6def7b

Initial sepolicy for supplemental process

Almost 1:1 of the sepolicy for ephemeral apps

Test: make

Bug: 203670791
Ignore-AOSP-First: Feature is developed in internal branch

Change-Id: Ib085c49f29dab47268e479fe5266490a66adaa87

private/net.te

diff --git a/private/net.te b/private/net.te
new file mode 100644
index 0000000..3e20274
--- /dev/null
+++ b/private/net.te
@@ -0,0 +1,18 @@
+# Bind to ports.
+allow {netdomain -ephemeral_app -supplemental_process} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -supplemental_process} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -supplemental_process} port_type:tcp_socket name_bind;
+
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+  netdomain
+  -ephemeral_app
+  -mediaprovider
+  -supplemental_process
+  -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
+