diff options
| -rwxr-xr-x | msm8996.mk | 8 | ||||
| -rw-r--r-- | proprietary-files.txt | 2 | ||||
| -rw-r--r-- | sepolicy/file.te | 4 | ||||
| -rw-r--r-- | sepolicy/netmgrd.te | 60 | ||||
| -rw-r--r-- | sepolicy/netutils_wrapper.te | 17 |
5 files changed, 85 insertions, 6 deletions
@@ -187,6 +187,14 @@ PRODUCT_PACKAGES += \ android.hardware.drm@1.0-impl \ android.hardware.drm@1.0-service +PRODUCT_PACKAGES += \ + mkshrc_vendor \ + sh_vendor \ + toybox_vendor + +PRODUCT_PACKAGES += \ + netutils-wrapper-1.0 + # For config.fs PRODUCT_PACKAGES += \ fs_config_files diff --git a/proprietary-files.txt b/proprietary-files.txt index ca9c018..48139b5 100644 --- a/proprietary-files.txt +++ b/proprietary-files.txt @@ -637,7 +637,7 @@ vendor/etc/permissions/telephonyservice.xml|ff2c9f3456ad73f97adb7ef314fe916fa9cb -vendor/framework/qti-telephony-common.jar|2eba987ae297a892e895ec1e9a302b41dbe0232e -vendor/priv-app/qcrilmsgtunnel/qcrilmsgtunnel.apk|1ef9b4925f997a75ebae2cd14775ae46ef99a3d5 vendor/bin/port-bridge -vendor/bin/netmgrd +vendor/bin/netmgrd|7b5d7b75e2650e3a975b46cfe68e2c7872d840e8 vendor/bin/qti vendor/bin/rmt_storage vendor/bin/tftp_server diff --git a/sepolicy/file.te b/sepolicy/file.te index 86b1097..8a2c9ed 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -5,6 +5,10 @@ type sysfs_fpc_irq, sysfs_type, fs_type; type sysfs_fpc_proximity, sysfs_type, fs_type; type sysfs_fpc_utouch_disable, fs_type, sysfs_type; type thermal_data_file, data_file_type, file_type; +type netmgr_data_file, file_type, data_file_type; +type sysfs_msm_subsys, sysfs_type, fs_type; +type sysfs_msm_subsys_restart, sysfs_type, fs_type; +type sysfs_net, sysfs_type, fs_type, mlstrustedobject; # /vendor type idc_file, file_type, vendor_file_type; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 0f20b71..c7ed94d 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,5 +1,55 @@ -type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt"; -allow netmgrd self:capability dac_override; -allow netmgrd netmgrd_data_file:file rw_file_perms; -allow netmgrd diag_device:chr_file { read write }; -allow netmgrd net_data_file:dir read; +net_domain(netmgrd) + +# Grant access to Qualcomm MSM Interface (QMI) radio sockets +qmux_socket(netmgrd) + +wakelock_use(netmgrd) + +# create socket in /dev/socket/netmgrd/ +allow netmgrd netmgrd_socket:dir rw_dir_perms; +allow netmgrd netmgrd_socket:sock_file create_file_perms; + +# communicate with netd +unix_socket_connect(netmgrd, netd, netd) + +allow netmgrd proc_net:file rw_file_perms; + +allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; + +# read /data/misc/net +allow netmgrd net_data_file:dir r_dir_perms; +allow netmgrd net_data_file:file r_file_perms; +# read and write /data/misc/netmgr +userdebug_or_eng(` + allow netmgrd netmgr_data_file:dir rw_dir_perms; + allow netmgrd netmgr_data_file:file create_file_perms; +') + +# execute shell, ip, and toolbox +allow netmgrd vendor_shell_exec:file rx_file_perms; +allow netmgrd vendor_toolbox_exec:file rx_file_perms; + +# netmgrd sockets +allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; +allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netmgrd self:rawip_socket create_socket_perms_no_ioctl; +allow netmgrd self:socket create_socket_perms; +# in addition to ioctl commands granted to domain allow netmgrd to use: +allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; +allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; + +set_prop(netmgrd, net_radio_prop) + +# read files in /sys +r_dir_file(netmgrd, sysfs_type) +allow netmgrd sysfs_net:file write; + +userdebug_or_eng(` + allow netmgrd diag_device:chr_file rw_file_perms; +') + +# For netmgrd to be able to execute netutils wrappers +domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) +allow netmgrd netutils_wrapper_exec:file { open read getattr execute }; +allow netmgrd netutils_wrapper:process sigkill; diff --git a/sepolicy/netutils_wrapper.te b/sepolicy/netutils_wrapper.te new file mode 100644 index 0000000..963d47b --- /dev/null +++ b/sepolicy/netutils_wrapper.te @@ -0,0 +1,17 @@ +# For netutils to be able to write their stdout stderr to the pipes opened by netmgrd +allow netutils_wrapper netmgrd:fd use; +allow netutils_wrapper netmgrd:fifo_file { getattr read write append }; + +# netmgrd opens files without o_CLOEXEC and fork_execs the netutils wrappers +# this results in all file (fd) permissions being audited for access by netutils_wrapper +# domain. Stop those audit messages flooding the kernel log. +dontaudit netutils_wrapper netmgrd:udp_socket { getattr read write append }; +dontaudit netutils_wrapper diag_device:chr_file { getattr read write append ioctl }; +dontaudit netutils_wrapper netmgr_data_file:file { getattr read write append }; +dontaudit netutils_wrapper netmgrd:netlink_route_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:netlink_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:netlink_xfrm_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:unix_stream_socket { getattr read write append }; +dontaudit netutils_wrapper sysfs_msm_subsys:file read; +dontaudit netutils_wrapper netmgrd:tcp_socket { getattr read write append }; +dontaudit netutils_wrapper netmgrd:socket { read write }; |