diff options
| author | Sandeep Patil <sspatil@google.com> | 2017-04-14 17:49:05 -0700 |
|---|---|---|
| committer | Cosme Domínguez Díaz <cosme.ddiaz@gmail.com> | 2018-04-09 01:31:37 +0200 |
| commit | 654ffe0d79d75db93f3dab124386fcae92eacfd3 (patch) | |
| tree | 6867b1b5167bf073439f4e33fcfc33d560fadf76 /sepolicy | |
| parent | da427996570c7ec070e61d191e0fc8d0db778bcf (diff) | |
netmgrd: use netutils_wrappers
Add required permissions for netmgrd to use the new netutils wrappers
Bug: 36463595
Test: boot sailfish, test LTE, wifi, wifi calling and phone calls work
Change-Id: I5894ee2659f97fce4f4f2b16c54c10f42484b454
Signed-off-by: Sandeep Patil <sspatil@google.com>
Diffstat (limited to 'sepolicy')
| -rw-r--r-- | sepolicy/file.te | 4 | ||||
| -rw-r--r-- | sepolicy/netmgrd.te | 60 | ||||
| -rw-r--r-- | sepolicy/netutils_wrapper.te | 17 |
3 files changed, 76 insertions, 5 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index 86b1097..8a2c9ed 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -5,6 +5,10 @@ type sysfs_fpc_irq, sysfs_type, fs_type; type sysfs_fpc_proximity, sysfs_type, fs_type; type sysfs_fpc_utouch_disable, fs_type, sysfs_type; type thermal_data_file, data_file_type, file_type; +type netmgr_data_file, file_type, data_file_type; +type sysfs_msm_subsys, sysfs_type, fs_type; +type sysfs_msm_subsys_restart, sysfs_type, fs_type; +type sysfs_net, sysfs_type, fs_type, mlstrustedobject; # /vendor type idc_file, file_type, vendor_file_type; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 0f20b71..c7ed94d 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,5 +1,55 @@ -type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt"; -allow netmgrd self:capability dac_override; -allow netmgrd netmgrd_data_file:file rw_file_perms; -allow netmgrd diag_device:chr_file { read write }; -allow netmgrd net_data_file:dir read; +net_domain(netmgrd) + +# Grant access to Qualcomm MSM Interface (QMI) radio sockets +qmux_socket(netmgrd) + +wakelock_use(netmgrd) + +# create socket in /dev/socket/netmgrd/ +allow netmgrd netmgrd_socket:dir rw_dir_perms; +allow netmgrd netmgrd_socket:sock_file create_file_perms; + +# communicate with netd +unix_socket_connect(netmgrd, netd, netd) + +allow netmgrd proc_net:file rw_file_perms; + +allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; + +# read /data/misc/net +allow netmgrd net_data_file:dir r_dir_perms; +allow netmgrd net_data_file:file r_file_perms; +# read and write /data/misc/netmgr +userdebug_or_eng(` + allow netmgrd netmgr_data_file:dir rw_dir_perms; + allow netmgrd netmgr_data_file:file create_file_perms; +') + +# execute shell, ip, and toolbox +allow netmgrd vendor_shell_exec:file rx_file_perms; +allow netmgrd vendor_toolbox_exec:file rx_file_perms; + +# netmgrd sockets +allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; +allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netmgrd self:rawip_socket create_socket_perms_no_ioctl; +allow netmgrd self:socket create_socket_perms; +# in addition to ioctl commands granted to domain allow netmgrd to use: +allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; +allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; + +set_prop(netmgrd, net_radio_prop) + +# read files in /sys +r_dir_file(netmgrd, sysfs_type) +allow netmgrd sysfs_net:file write; + +userdebug_or_eng(` + allow netmgrd diag_device:chr_file rw_file_perms; +') + +# For netmgrd to be able to execute netutils wrappers +domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) +allow netmgrd netutils_wrapper_exec:file { open read getattr execute }; +allow netmgrd netutils_wrapper:process sigkill; diff --git a/sepolicy/netutils_wrapper.te b/sepolicy/netutils_wrapper.te new file mode 100644 index 0000000..963d47b --- /dev/null +++ b/sepolicy/netutils_wrapper.te @@ -0,0 +1,17 @@ +# For netutils to be able to write their stdout stderr to the pipes opened by netmgrd +allow netutils_wrapper netmgrd:fd use; +allow netutils_wrapper netmgrd:fifo_file { getattr read write append }; + +# netmgrd opens files without o_CLOEXEC and fork_execs the netutils wrappers +# this results in all file (fd) permissions being audited for access by netutils_wrapper +# domain. Stop those audit messages flooding the kernel log. +dontaudit netutils_wrapper netmgrd:udp_socket { getattr read write append }; +dontaudit netutils_wrapper diag_device:chr_file { getattr read write append ioctl }; +dontaudit netutils_wrapper netmgr_data_file:file { getattr read write append }; +dontaudit netutils_wrapper netmgrd:netlink_route_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:netlink_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:netlink_xfrm_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:unix_stream_socket { getattr read write append }; +dontaudit netutils_wrapper sysfs_msm_subsys:file read; +dontaudit netutils_wrapper netmgrd:tcp_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:socket { read write }; |