blob: 37581a69900e9b1ba7d65bbe51bfcbc5998ec0b1 [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -07001typeattribute netd coredomain;
Steven Moreland65981752022-02-10 00:32:44 +00002typeattribute netd bpfdomain;
Alex Klyubinf5446eb2017-03-23 14:27:32 -07003
dcashmancc39f632016-07-22 13:13:11 -07004init_daemon_domain(netd)
5
6# Allow netd to spawn dnsmasq in it's own domain
7domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
8
Maciej Żenczykowski37ca69e2023-11-18 03:36:05 +00009allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
10allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
11allow netd { fs_bpf fs_bpf_netd_shared }:file write;
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -070012
Maciej Żenczykowski28960d32023-06-13 20:44:48 -070013# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
14# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking
15allow netd bpfloader:bpf prog_run;
16allow netd self:bpf map_create;
17allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
Joel Fernandesb76a6392019-01-11 08:32:45 -050018
Chenbo Feng8a5539b2019-02-27 17:44:26 -080019# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
Maciej Żenczykowski28960d32023-06-13 20:44:48 -070020# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
Ken Chen1aed0062022-01-28 15:04:09 +080021# TODO: Remove this after we remove all bpf interactions from netd.
Chenbo Feng8a5539b2019-02-27 17:44:26 -080022allow netd self:key_socket create;
23
Inseob Kim55e5c9b2020-03-04 17:20:35 +090024set_prop(netd, ctl_mdnsd_prop)
25set_prop(netd, netd_stable_secret_prop)
26
steven_fannd3e8f6f2021-01-26 13:34:00 +080027get_prop(netd, adbd_config_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +090028get_prop(netd, hwservicemanager_prop)
29get_prop(netd, device_config_netd_native_prop)
lifr980c08c2018-11-21 22:53:48 +080030
31# Allow netd to write to statsd.
32unix_socket_send(netd, statsdw, statsd)
Remi NGUYEN VAN780fbad2019-01-28 13:08:42 +090033
34# Allow netd to send callbacks to network_stack
35binder_call(netd, network_stack)
36
Chalard Jeana4c9f7b2019-04-05 17:33:56 +090037# Allow netd to send dump info to dumpstate
38allow netd dumpstate:fd use;
39allow netd dumpstate:fifo_file { getattr write };
Inseob Kim55e5c9b2020-03-04 17:20:35 +090040
Inseob Kim75806ef2024-03-27 17:18:41 +090041net_domain(netd)
42# Connect to mdnsd via mdnsd socket.
43unix_socket_connect(netd, mdnsd, mdnsd)
44# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
45allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
46
47r_dir_file(netd, cgroup)
48
49allow netd system_server:fd use;
50
51allow netd self:global_capability_class_set { net_admin net_raw kill };
52# Note: fsetid is deliberately not included above. fsetid checks are
53# triggered by chmod on a directory or file owned by a group other
54# than one of the groups assigned to the current process to see if
55# the setgid bit should be cleared, regardless of whether the setgid
56# bit was even set. We do not appear to truly need this capability
57# for netd to operate.
58dontaudit netd self:global_capability_class_set fsetid;
59
60# Allow netd to open /dev/tun, set it up and pass it to clatd
61allow netd tun_device:chr_file rw_file_perms;
62allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
63allow netd self:tun_socket create;
64
65allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
66allow netd self:netlink_route_socket nlmsg_write;
67allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
68allow netd self:netlink_socket create_socket_perms_no_ioctl;
69allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
70allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
71allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
72allow netd shell_exec:file rx_file_perms;
73allow netd system_file:file x_file_perms;
74not_full_treble(`allow netd vendor_file:file x_file_perms;')
75allow netd devpts:chr_file rw_file_perms;
76
77# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
78# exist, suppress the denial.
79allow netd system_file:file lock;
80dontaudit netd system_file:dir write;
81
82# Allow netd to write to qtaguid ctrl file.
83# TODO: Add proper rules to prevent other process to access qtaguid_proc file
84# after migration complete
85allow netd proc_qtaguid_ctrl:file rw_file_perms;
86# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
87allow netd qtaguid_device:chr_file r_file_perms;
88
89r_dir_file(netd, proc_net_type)
90# For /proc/sys/net/ipv[46]/route/flush.
91allow netd proc_net_type:file rw_file_perms;
92
93# Enables PppController and interface enumeration (among others)
94allow netd sysfs:dir r_dir_perms;
95r_dir_file(netd, sysfs_net)
96
97# Allows setting interface MTU
98allow netd sysfs_net:file w_file_perms;
99
100# TODO: added to match above sysfs rule. Remove me?
101allow netd sysfs_usb:file write;
102
103r_dir_file(netd, cgroup_v2)
104
105# TODO: netd previously thought it needed these permissions to do WiFi related
106# work. However, after all the WiFi stuff is gone, we still need them.
107# Why?
108allow netd self:global_capability_class_set { dac_override dac_read_search chown };
109
110# Needed to update /data/misc/net/rt_tables
111allow netd net_data_file:file create_file_perms;
112allow netd net_data_file:dir rw_dir_perms;
113allow netd self:global_capability_class_set fowner;
114
115# Needed to lock the iptables lock.
116allow netd system_file:file lock;
117
118# Allow netd to spawn dnsmasq in it's own domain
119allow netd dnsmasq:process { sigkill signal };
120
121# Allow netd to publish a binder service and make binder calls.
122binder_use(netd)
123add_service(netd, netd_service)
124add_service(netd, dnsresolver_service)
125add_service(netd, mdns_service)
126allow netd dumpstate:fifo_file { getattr write };
127
128# Allow netd to call into the system server so it can check permissions.
129allow netd system_server:binder call;
130allow netd permission_service:service_manager find;
131
132# Allow netd to talk to the framework service which collects netd events.
133allow netd netd_listener_service:service_manager find;
134
135# Allow netd to operate on sockets that are passed to it.
136allow netd netdomain:{
137 icmp_socket
138 tcp_socket
139 udp_socket
140 rawip_socket
141 tun_socket
142} { read write getattr setattr getopt setopt };
143allow netd netdomain:fd use;
144
145# give netd permission to read and write netlink xfrm
146allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
147
148# Allow netd to register as hal server.
149add_hwservice(netd, system_net_netd_hwservice)
150hwbinder_use(netd)
151
152# AIDL hal server
153binder_call(system_net_netd_service, servicemanager)
154add_service(netd, system_net_netd_service)
155
156###
157### Neverallow rules
158###
159### netd should NEVER do any of this
160
161# Block device access.
162neverallow netd dev_type:blk_file { read write };
163
164# ptrace any other app
165neverallow netd { domain }:process ptrace;
166
167# Write to /system.
168neverallow netd system_file_type:dir_file_class_set write;
169
170# Write to files in /data/data or system files on /data
171neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
172
173# only system_server, dumpstate and network stack app may find netd service
174neverallow {
175 domain
176 -system_server
177 -dumpstate
178 -network_stack
179 -netd
180 -netutils_wrapper
181} netd_service:service_manager find;
182
183# only system_server, dumpstate and network stack app may find dnsresolver service
184neverallow {
185 domain
186 -system_server
187 -dumpstate
188 -network_stack
189 -netd
190 -netutils_wrapper
191} dnsresolver_service:service_manager find;
192
193# only system_server, dumpstate and network stack app may find mdns service
194neverallow {
195 domain
196 -system_server
197 -dumpstate
198 -network_stack
199 -netd
200 -netutils_wrapper
201} mdns_service:service_manager find;
202
203# apps may not interact with netd over binder.
204neverallow { appdomain -network_stack } netd:binder call;
205neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
206
207# If an already existing file is opened with O_CREATE, the kernel might generate
208# a false report of a create denial. Silence these denials and make sure that
209# inappropriate permissions are not granted.
210neverallow netd proc_net:dir no_w_dir_perms;
211dontaudit netd proc_net:dir write;
212
213neverallow netd sysfs_net:dir no_w_dir_perms;
214dontaudit netd sysfs_net:dir write;
215
216# Netd should not have SYS_ADMIN privs.
217neverallow netd self:capability sys_admin;
218dontaudit netd self:capability sys_admin;
219
220# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
221# (things it requires should be built directly into the kernel)
222dontaudit netd self:capability sys_module;
223
224dontaudit netd appdomain:unix_stream_socket { read write };
225
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900226# persist.netd.stable_secret contains RFC 7217 secret key which should never be
227# leaked to other processes. Make sure it never leaks.
228neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
229
230# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
231# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
232neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;