Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 27a8f43fde05d988606eef18a46794a808b50160 / . / private / net.te
blob: 07e4271f7973a0339aebe1d343e77f09eefdeb79 [file] [log] [blame]
RafayKamraneaa18ce2021-10-27 14:12:44 +0000[diff] [blame]1# Bind to ports.
Nikita Ioffee2da6332022-02-21 17:55:59 +0000[diff] [blame]2allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
3allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
4allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
RafayKamraneaa18ce2021-10-27 14:12:44 +0000[diff] [blame]5
6# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
7# untrusted_apps.
8# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
9# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
10# to avoid app-compat breakage.
11allow {
12 netdomain
13 -ephemeral_app
14 -mediaprovider
Bram Bonneaf609b22022-05-17 14:22:02 +0200[diff] [blame]15 -priv_app
Nikita Ioffee2da6332022-02-21 17:55:59 +0000[diff] [blame]16 -sdk_sandbox
RafayKamraneaa18ce2021-10-27 14:12:44 +0000[diff] [blame]17 -untrusted_app_all
18} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
19