1typeattribute netd coredomain; 2typeattribute netd bpfdomain; 3 4init_daemon_domain(netd) 5 6# Allow netd to spawn dnsmasq in it's own domain 7domain_auto_trans(netd, dnsmasq_exec, dnsmasq) 8 9allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; 10allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read }; 11allow netd { fs_bpf fs_bpf_netd_shared }:file write; 12 13# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write 14# the map created by bpfloader 15allow netd bpfloader:bpf { prog_run map_read map_write }; 16 17# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 18# TODO: Remove this permission when 4.9 kernel is deprecated. 19# TODO: Remove this after we remove all bpf interactions from netd. 20allow netd self:key_socket create; 21 22set_prop(netd, ctl_mdnsd_prop) 23set_prop(netd, netd_stable_secret_prop) 24 25get_prop(netd, adbd_config_prop) 26get_prop(netd, hwservicemanager_prop) 27get_prop(netd, device_config_netd_native_prop) 28 29# Allow netd to write to statsd. 30unix_socket_send(netd, statsdw, statsd) 31 32# Allow netd to send callbacks to network_stack 33binder_call(netd, network_stack) 34 35# Allow netd to send dump info to dumpstate 36allow netd dumpstate:fd use; 37allow netd dumpstate:fifo_file { getattr write }; 38 39# persist.netd.stable_secret contains RFC 7217 secret key which should never be 40# leaked to other processes. Make sure it never leaks. 41neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms; 42 43# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, 44# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. 45neverallow { domain -netd -init } netd_stable_secret_prop:property_service set; 46