1*e4a36f41SAndroid Build Coastguard Workertypeattribute netd coredomain; 2*e4a36f41SAndroid Build Coastguard Workertypeattribute netd bpfdomain; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(netd) 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# Allow netd to spawn dnsmasq in it's own domain 7*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(netd, dnsmasq_exec, dnsmasq) 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Workerallow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search; 10*e4a36f41SAndroid Build Coastguard Workerallow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read }; 11*e4a36f41SAndroid Build Coastguard Workerallow netd { fs_bpf fs_bpf_netd_shared }:file write; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, 14*e4a36f41SAndroid Build Coastguard Worker# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking 15*e4a36f41SAndroid Build Coastguard Workerallow netd bpfloader:bpf prog_run; 16*e4a36f41SAndroid Build Coastguard Workerallow netd self:bpf map_create; 17*e4a36f41SAndroid Build Coastguard Workerallow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write }; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 20*e4a36f41SAndroid Build Coastguard Worker# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU() 21*e4a36f41SAndroid Build Coastguard Worker# TODO: Remove this after we remove all bpf interactions from netd. 22*e4a36f41SAndroid Build Coastguard Workerallow netd self:key_socket create; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Workerset_prop(netd, ctl_mdnsd_prop) 25*e4a36f41SAndroid Build Coastguard Workerset_prop(netd, netd_stable_secret_prop) 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Workerget_prop(netd, adbd_config_prop) 28*e4a36f41SAndroid Build Coastguard Workerget_prop(netd, hwservicemanager_prop) 29*e4a36f41SAndroid Build Coastguard Workerget_prop(netd, device_config_netd_native_prop) 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Allow netd to write to statsd. 32*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(netd, statsdw, statsd) 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Allow netd to send callbacks to network_stack 35*e4a36f41SAndroid Build Coastguard Workerbinder_call(netd, network_stack) 36*e4a36f41SAndroid Build Coastguard Worker 37*e4a36f41SAndroid Build Coastguard Worker# Allow netd to send dump info to dumpstate 38*e4a36f41SAndroid Build Coastguard Workerallow netd dumpstate:fd use; 39*e4a36f41SAndroid Build Coastguard Workerallow netd dumpstate:fifo_file { getattr write }; 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Workernet_domain(netd) 42*e4a36f41SAndroid Build Coastguard Worker# Connect to mdnsd via mdnsd socket. 43*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(netd, mdnsd, mdnsd) 44*e4a36f41SAndroid Build Coastguard Worker# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. 45*e4a36f41SAndroid Build Coastguard Workerallowxperm netd self:udp_socket ioctl priv_sock_ioctls; 46*e4a36f41SAndroid Build Coastguard Worker 47*e4a36f41SAndroid Build Coastguard Workerr_dir_file(netd, cgroup) 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Workerallow netd system_server:fd use; 50*e4a36f41SAndroid Build Coastguard Worker 51*e4a36f41SAndroid Build Coastguard Workerallow netd self:global_capability_class_set { net_admin net_raw kill }; 52*e4a36f41SAndroid Build Coastguard Worker# Note: fsetid is deliberately not included above. fsetid checks are 53*e4a36f41SAndroid Build Coastguard Worker# triggered by chmod on a directory or file owned by a group other 54*e4a36f41SAndroid Build Coastguard Worker# than one of the groups assigned to the current process to see if 55*e4a36f41SAndroid Build Coastguard Worker# the setgid bit should be cleared, regardless of whether the setgid 56*e4a36f41SAndroid Build Coastguard Worker# bit was even set. We do not appear to truly need this capability 57*e4a36f41SAndroid Build Coastguard Worker# for netd to operate. 58*e4a36f41SAndroid Build Coastguard Workerdontaudit netd self:global_capability_class_set fsetid; 59*e4a36f41SAndroid Build Coastguard Worker 60*e4a36f41SAndroid Build Coastguard Worker# Allow netd to open /dev/tun, set it up and pass it to clatd 61*e4a36f41SAndroid Build Coastguard Workerallow netd tun_device:chr_file rw_file_perms; 62*e4a36f41SAndroid Build Coastguard Workerallowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; 63*e4a36f41SAndroid Build Coastguard Workerallow netd self:tun_socket create; 64*e4a36f41SAndroid Build Coastguard Worker 65*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 66*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_route_socket nlmsg_write; 67*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_nflog_socket create_socket_perms_no_ioctl; 68*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_socket create_socket_perms_no_ioctl; 69*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 70*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_generic_socket create_socket_perms_no_ioctl; 71*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl; 72*e4a36f41SAndroid Build Coastguard Workerallow netd shell_exec:file rx_file_perms; 73*e4a36f41SAndroid Build Coastguard Workerallow netd system_file:file x_file_perms; 74*e4a36f41SAndroid Build Coastguard Workernot_full_treble(`allow netd vendor_file:file x_file_perms;') 75*e4a36f41SAndroid Build Coastguard Workerallow netd devpts:chr_file rw_file_perms; 76*e4a36f41SAndroid Build Coastguard Worker 77*e4a36f41SAndroid Build Coastguard Worker# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't 78*e4a36f41SAndroid Build Coastguard Worker# exist, suppress the denial. 79*e4a36f41SAndroid Build Coastguard Workerallow netd system_file:file lock; 80*e4a36f41SAndroid Build Coastguard Workerdontaudit netd system_file:dir write; 81*e4a36f41SAndroid Build Coastguard Worker 82*e4a36f41SAndroid Build Coastguard Workerr_dir_file(netd, proc_net_type) 83*e4a36f41SAndroid Build Coastguard Worker# For /proc/sys/net/ipv[46]/route/flush. 84*e4a36f41SAndroid Build Coastguard Workerallow netd proc_net_type:file rw_file_perms; 85*e4a36f41SAndroid Build Coastguard Worker 86*e4a36f41SAndroid Build Coastguard Worker# Enables PppController and interface enumeration (among others) 87*e4a36f41SAndroid Build Coastguard Workerallow netd sysfs:dir r_dir_perms; 88*e4a36f41SAndroid Build Coastguard Workerr_dir_file(netd, sysfs_net) 89*e4a36f41SAndroid Build Coastguard Worker 90*e4a36f41SAndroid Build Coastguard Worker# Allows setting interface MTU 91*e4a36f41SAndroid Build Coastguard Workerallow netd sysfs_net:file w_file_perms; 92*e4a36f41SAndroid Build Coastguard Worker 93*e4a36f41SAndroid Build Coastguard Worker# TODO: added to match above sysfs rule. Remove me? 94*e4a36f41SAndroid Build Coastguard Workerallow netd sysfs_usb:file write; 95*e4a36f41SAndroid Build Coastguard Worker 96*e4a36f41SAndroid Build Coastguard Workerr_dir_file(netd, cgroup_v2) 97*e4a36f41SAndroid Build Coastguard Worker 98*e4a36f41SAndroid Build Coastguard Worker# TODO: netd previously thought it needed these permissions to do WiFi related 99*e4a36f41SAndroid Build Coastguard Worker# work. However, after all the WiFi stuff is gone, we still need them. 100*e4a36f41SAndroid Build Coastguard Worker# Why? 101*e4a36f41SAndroid Build Coastguard Workerallow netd self:global_capability_class_set { dac_override dac_read_search chown }; 102*e4a36f41SAndroid Build Coastguard Worker 103*e4a36f41SAndroid Build Coastguard Worker# Needed to update /data/misc/net/rt_tables 104*e4a36f41SAndroid Build Coastguard Workerallow netd net_data_file:file create_file_perms; 105*e4a36f41SAndroid Build Coastguard Workerallow netd net_data_file:dir rw_dir_perms; 106*e4a36f41SAndroid Build Coastguard Workerallow netd self:global_capability_class_set fowner; 107*e4a36f41SAndroid Build Coastguard Worker 108*e4a36f41SAndroid Build Coastguard Worker# Needed to lock the iptables lock. 109*e4a36f41SAndroid Build Coastguard Workerallow netd system_file:file lock; 110*e4a36f41SAndroid Build Coastguard Worker 111*e4a36f41SAndroid Build Coastguard Worker# Allow netd to spawn dnsmasq in it's own domain 112*e4a36f41SAndroid Build Coastguard Workerallow netd dnsmasq:process { sigkill signal }; 113*e4a36f41SAndroid Build Coastguard Worker 114*e4a36f41SAndroid Build Coastguard Worker# Allow netd to publish a binder service and make binder calls. 115*e4a36f41SAndroid Build Coastguard Workerbinder_use(netd) 116*e4a36f41SAndroid Build Coastguard Workeradd_service(netd, netd_service) 117*e4a36f41SAndroid Build Coastguard Workeradd_service(netd, dnsresolver_service) 118*e4a36f41SAndroid Build Coastguard Workeradd_service(netd, mdns_service) 119*e4a36f41SAndroid Build Coastguard Workerallow netd dumpstate:fifo_file { getattr write }; 120*e4a36f41SAndroid Build Coastguard Worker 121*e4a36f41SAndroid Build Coastguard Worker# Allow netd to call into the system server so it can check permissions. 122*e4a36f41SAndroid Build Coastguard Workerallow netd system_server:binder call; 123*e4a36f41SAndroid Build Coastguard Workerallow netd permission_service:service_manager find; 124*e4a36f41SAndroid Build Coastguard Worker 125*e4a36f41SAndroid Build Coastguard Worker# Allow netd to talk to the framework service which collects netd events. 126*e4a36f41SAndroid Build Coastguard Workerallow netd netd_listener_service:service_manager find; 127*e4a36f41SAndroid Build Coastguard Worker 128*e4a36f41SAndroid Build Coastguard Worker# Allow netd to operate on sockets that are passed to it. 129*e4a36f41SAndroid Build Coastguard Workerallow netd netdomain:{ 130*e4a36f41SAndroid Build Coastguard Worker icmp_socket 131*e4a36f41SAndroid Build Coastguard Worker tcp_socket 132*e4a36f41SAndroid Build Coastguard Worker udp_socket 133*e4a36f41SAndroid Build Coastguard Worker rawip_socket 134*e4a36f41SAndroid Build Coastguard Worker tun_socket 135*e4a36f41SAndroid Build Coastguard Worker} { read write getattr setattr getopt setopt }; 136*e4a36f41SAndroid Build Coastguard Workerallow netd netdomain:fd use; 137*e4a36f41SAndroid Build Coastguard Worker 138*e4a36f41SAndroid Build Coastguard Worker# give netd permission to read and write netlink xfrm 139*e4a36f41SAndroid Build Coastguard Workerallow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 140*e4a36f41SAndroid Build Coastguard Worker 141*e4a36f41SAndroid Build Coastguard Worker# Allow netd to register as hal server. 142*e4a36f41SAndroid Build Coastguard Workeradd_hwservice(netd, system_net_netd_hwservice) 143*e4a36f41SAndroid Build Coastguard Workerhwbinder_use(netd) 144*e4a36f41SAndroid Build Coastguard Worker 145*e4a36f41SAndroid Build Coastguard Worker# AIDL hal server 146*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_net_netd_service, servicemanager) 147*e4a36f41SAndroid Build Coastguard Workeradd_service(netd, system_net_netd_service) 148*e4a36f41SAndroid Build Coastguard Worker 149*e4a36f41SAndroid Build Coastguard Worker### 150*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 151*e4a36f41SAndroid Build Coastguard Worker### 152*e4a36f41SAndroid Build Coastguard Worker### netd should NEVER do any of this 153*e4a36f41SAndroid Build Coastguard Worker 154*e4a36f41SAndroid Build Coastguard Worker# Block device access. 155*e4a36f41SAndroid Build Coastguard Workerneverallow netd dev_type:blk_file { read write }; 156*e4a36f41SAndroid Build Coastguard Worker 157*e4a36f41SAndroid Build Coastguard Worker# ptrace any other app 158*e4a36f41SAndroid Build Coastguard Workerneverallow netd { domain }:process ptrace; 159*e4a36f41SAndroid Build Coastguard Worker 160*e4a36f41SAndroid Build Coastguard Worker# Write to /system. 161*e4a36f41SAndroid Build Coastguard Workerneverallow netd system_file_type:dir_file_class_set write; 162*e4a36f41SAndroid Build Coastguard Worker 163*e4a36f41SAndroid Build Coastguard Worker# Write to files in /data/data or system files on /data 164*e4a36f41SAndroid Build Coastguard Workerneverallow netd { app_data_file_type system_data_file }:dir_file_class_set write; 165*e4a36f41SAndroid Build Coastguard Worker 166*e4a36f41SAndroid Build Coastguard Worker# only system_server, dumpstate and network stack app may find netd service 167*e4a36f41SAndroid Build Coastguard Workerneverallow { 168*e4a36f41SAndroid Build Coastguard Worker domain 169*e4a36f41SAndroid Build Coastguard Worker -system_server 170*e4a36f41SAndroid Build Coastguard Worker -dumpstate 171*e4a36f41SAndroid Build Coastguard Worker -network_stack 172*e4a36f41SAndroid Build Coastguard Worker -netd 173*e4a36f41SAndroid Build Coastguard Worker -netutils_wrapper 174*e4a36f41SAndroid Build Coastguard Worker} netd_service:service_manager find; 175*e4a36f41SAndroid Build Coastguard Worker 176*e4a36f41SAndroid Build Coastguard Worker# only system_server, dumpstate and network stack app may find dnsresolver service 177*e4a36f41SAndroid Build Coastguard Workerneverallow { 178*e4a36f41SAndroid Build Coastguard Worker domain 179*e4a36f41SAndroid Build Coastguard Worker -system_server 180*e4a36f41SAndroid Build Coastguard Worker -dumpstate 181*e4a36f41SAndroid Build Coastguard Worker -network_stack 182*e4a36f41SAndroid Build Coastguard Worker -netd 183*e4a36f41SAndroid Build Coastguard Worker -netutils_wrapper 184*e4a36f41SAndroid Build Coastguard Worker} dnsresolver_service:service_manager find; 185*e4a36f41SAndroid Build Coastguard Worker 186*e4a36f41SAndroid Build Coastguard Worker# only system_server, dumpstate and network stack app may find mdns service 187*e4a36f41SAndroid Build Coastguard Workerneverallow { 188*e4a36f41SAndroid Build Coastguard Worker domain 189*e4a36f41SAndroid Build Coastguard Worker -system_server 190*e4a36f41SAndroid Build Coastguard Worker -dumpstate 191*e4a36f41SAndroid Build Coastguard Worker -network_stack 192*e4a36f41SAndroid Build Coastguard Worker -netd 193*e4a36f41SAndroid Build Coastguard Worker -netutils_wrapper 194*e4a36f41SAndroid Build Coastguard Worker} mdns_service:service_manager find; 195*e4a36f41SAndroid Build Coastguard Worker 196*e4a36f41SAndroid Build Coastguard Worker# apps may not interact with netd over binder. 197*e4a36f41SAndroid Build Coastguard Workerneverallow { appdomain -network_stack } netd:binder call; 198*e4a36f41SAndroid Build Coastguard Workerneverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call; 199*e4a36f41SAndroid Build Coastguard Worker 200*e4a36f41SAndroid Build Coastguard Worker# If an already existing file is opened with O_CREATE, the kernel might generate 201*e4a36f41SAndroid Build Coastguard Worker# a false report of a create denial. Silence these denials and make sure that 202*e4a36f41SAndroid Build Coastguard Worker# inappropriate permissions are not granted. 203*e4a36f41SAndroid Build Coastguard Workerneverallow netd proc_net:dir no_w_dir_perms; 204*e4a36f41SAndroid Build Coastguard Workerdontaudit netd proc_net:dir write; 205*e4a36f41SAndroid Build Coastguard Worker 206*e4a36f41SAndroid Build Coastguard Workerneverallow netd sysfs_net:dir no_w_dir_perms; 207*e4a36f41SAndroid Build Coastguard Workerdontaudit netd sysfs_net:dir write; 208*e4a36f41SAndroid Build Coastguard Worker 209*e4a36f41SAndroid Build Coastguard Worker# Netd should not have SYS_ADMIN privs. 210*e4a36f41SAndroid Build Coastguard Workerneverallow netd self:capability sys_admin; 211*e4a36f41SAndroid Build Coastguard Workerdontaudit netd self:capability sys_admin; 212*e4a36f41SAndroid Build Coastguard Worker 213*e4a36f41SAndroid Build Coastguard Worker# Netd should not have SYS_MODULE privs, nor should it be requesting module loads 214*e4a36f41SAndroid Build Coastguard Worker# (things it requires should be built directly into the kernel) 215*e4a36f41SAndroid Build Coastguard Workerdontaudit netd self:capability sys_module; 216*e4a36f41SAndroid Build Coastguard Worker 217*e4a36f41SAndroid Build Coastguard Workerdontaudit netd appdomain:unix_stream_socket { read write }; 218*e4a36f41SAndroid Build Coastguard Worker 219*e4a36f41SAndroid Build Coastguard Worker# persist.netd.stable_secret contains RFC 7217 secret key which should never be 220*e4a36f41SAndroid Build Coastguard Worker# leaked to other processes. Make sure it never leaks. 221*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms; 222*e4a36f41SAndroid Build Coastguard Worker 223*e4a36f41SAndroid Build Coastguard Worker# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, 224*e4a36f41SAndroid Build Coastguard Worker# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. 225*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -netd -init } netd_stable_secret_prop:property_service set; 226