1# network manager
2type netd, domain, mlstrustedsubject;
3type netd_exec, exec_type, file_type;
4
5net_domain(netd)
6# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
7allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
8
9r_dir_file(netd, cgroup)
10allow netd system_server:fd use;
11
12allow netd self:capability { net_admin net_raw kill };
13# Note: fsetid is deliberately not included above. fsetid checks are
14# triggered by chmod on a directory or file owned by a group other
15# than one of the groups assigned to the current process to see if
16# the setgid bit should be cleared, regardless of whether the setgid
17# bit was even set.  We do not appear to truly need this capability
18# for netd to operate.
19dontaudit netd self:capability fsetid;
20
21allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
22allow netd self:netlink_route_socket nlmsg_write;
23allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
24allow netd self:netlink_socket create_socket_perms_no_ioctl;
25allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
26allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
27allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
28allow netd shell_exec:file rx_file_perms;
29allow netd system_file:file x_file_perms;
30not_full_treble(`allow netd vendor_file:file x_file_perms;')
31allow netd devpts:chr_file rw_file_perms;
32
33# Acquire advisory lock on /system/etc/xtables.lock
34allow netd system_file:file lock;
35
36r_dir_file(netd, proc_net)
37# For /proc/sys/net/ipv[46]/route/flush.
38allow netd proc_net:file rw_file_perms;
39
40# Enables PppController and interface enumeration (among others)
41r_dir_file(netd, sysfs_type)
42# Allows setting interface MTU
43allow netd sysfs:file write;
44
45# TODO: added to match above sysfs rule. Remove me?
46allow netd sysfs_usb:file write;
47
48# TODO: netd previously thought it needed these permissions to do WiFi related
49#       work.  However, after all the WiFi stuff is gone, we still need them.
50#       Why?
51allow netd self:capability { dac_override chown };
52
53# Needed to update /data/misc/net/rt_tables
54allow netd net_data_file:file create_file_perms;
55allow netd net_data_file:dir rw_dir_perms;
56allow netd self:capability fowner;
57
58# Needed to lock the iptables lock.
59allow netd system_file:file lock;
60
61# Allow netd to spawn dnsmasq in it's own domain
62allow netd dnsmasq:process signal;
63
64# Allow netd to start clatd in its own domain
65allow netd clatd:process signal;
66
67set_prop(netd, ctl_mdnsd_prop)
68set_prop(netd, netd_stable_secret_prop)
69
70# Allow netd to publish a binder service and make binder calls.
71binder_use(netd)
72add_service(netd, netd_service)
73allow netd dumpstate:fifo_file  { getattr write };
74
75# Allow netd to call into the system server so it can check permissions.
76allow netd system_server:binder call;
77allow netd permission_service:service_manager find;
78
79# Allow netd to talk to the framework service which collects netd events.
80allow netd netd_listener_service:service_manager find;
81
82# Allow netd to operate on sockets that are passed to it.
83allow netd netdomain:{
84  tcp_socket
85  udp_socket
86  rawip_socket
87  tun_socket
88} { read write getattr setattr getopt setopt };
89allow netd netdomain:fd use;
90
91# give netd permission to read and write netlink xfrm
92allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
93
94# Allow netd to register as hal server.
95add_hwservice(netd, system_net_netd_hwservice)
96hwbinder_use(netd)
97get_prop(netd, hwservicemanager_prop)
98
99###
100### Neverallow rules
101###
102### netd should NEVER do any of this
103
104# Block device access.
105neverallow netd dev_type:blk_file { read write };
106
107# ptrace any other app
108neverallow netd { domain }:process ptrace;
109
110# Write to /system.
111neverallow netd system_file:dir_file_class_set write;
112
113# Write to files in /data/data or system files on /data
114neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
115
116# only system_server and dumpstate may find netd service
117neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
118
119# apps may not interact with netd over binder.
120neverallow appdomain netd:binder call;
121neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
122
123# persist.netd.stable_secret contains RFC 7217 secret key which should never be
124# leaked to other processes. Make sure it never leaks.
125neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
126
127# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
128# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
129neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
130