1*e4a36f41SAndroid Build Coastguard Worker## Network types 2*e4a36f41SAndroid Build Coastguard Workertype node, node_type; 3*e4a36f41SAndroid Build Coastguard Workertype netif, netif_type; 4*e4a36f41SAndroid Build Coastguard Workertype port, port_type; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker### 7*e4a36f41SAndroid Build Coastguard Worker### Domain with network access 8*e4a36f41SAndroid Build Coastguard Worker### 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# Use network sockets. 11*e4a36f41SAndroid Build Coastguard Workerallow netdomain self:tcp_socket create_stream_socket_perms; 12*e4a36f41SAndroid Build Coastguard Workerallow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Connect to ports. 15*e4a36f41SAndroid Build Coastguard Workerallow netdomain port_type:tcp_socket name_connect; 16*e4a36f41SAndroid Build Coastguard Worker# Bind to ports. 17*e4a36f41SAndroid Build Coastguard Workerallow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; 18*e4a36f41SAndroid Build Coastguard Workerallow {netdomain -ephemeral_app} port_type:udp_socket name_bind; 19*e4a36f41SAndroid Build Coastguard Workerallow {netdomain -ephemeral_app} port_type:tcp_socket name_bind; 20*e4a36f41SAndroid Build Coastguard Worker# See changes to the routing table. 21*e4a36f41SAndroid Build Coastguard Workerallow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read }; 22*e4a36f41SAndroid Build Coastguard Worker# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from 23*e4a36f41SAndroid Build Coastguard Worker# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere 24*e4a36f41SAndroid Build Coastguard Worker# to avoid app-compat breakage. 25*e4a36f41SAndroid Build Coastguard Workerallow { 26*e4a36f41SAndroid Build Coastguard Worker netdomain 27*e4a36f41SAndroid Build Coastguard Worker -ephemeral_app 28*e4a36f41SAndroid Build Coastguard Worker -mediaprovider 29*e4a36f41SAndroid Build Coastguard Worker -untrusted_app_all 30*e4a36f41SAndroid Build Coastguard Worker} self:netlink_route_socket { bind nlmsg_readpriv }; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker# Talks to netd via dnsproxyd socket. 33*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(netdomain, dnsproxyd, netd) 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Talks to netd via fwmarkd socket. 36*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(netdomain, fwmarkd, netd) 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Connect to mdnsd via mdnsd socket. 39*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(netdomain, mdnsd, mdnsd) 40