1*e4a36f41SAndroid Build Coastguard Workertypeattribute netutils_wrapper coredomain; 2*e4a36f41SAndroid Build Coastguard Workertypeattribute netutils_wrapper bpfdomain; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerr_dir_file(netutils_wrapper, system_file); 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# For netutils (ip, iptables, tc) 7*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper self:global_capability_class_set net_raw; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper system_file:file { execute execute_no_trans }; 10*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper proc_net_type:file { open read getattr }; 11*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper self:rawip_socket create_socket_perms; 12*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper self:udp_socket create_socket_perms; 13*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper self:global_capability_class_set net_admin; 14*e4a36f41SAndroid Build Coastguard Worker# ip utils need everything but ioctl 15*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper self:netlink_route_socket ~ioctl; 16*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper self:netlink_xfrm_socket ~ioctl; 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker# For netutils (ndc) to be able to talk to netd 19*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper netd_service:service_manager find; 20*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper dnsresolver_service:service_manager find; 21*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper mdns_service:service_manager find; 22*e4a36f41SAndroid Build Coastguard Workerbinder_use(netutils_wrapper); 23*e4a36f41SAndroid Build Coastguard Workerbinder_call(netutils_wrapper, netd); 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# For vendor code that update the iptables rules at runtime. They need to reload 26*e4a36f41SAndroid Build Coastguard Worker# the whole chain including the xt_bpf rules. They need to access to the pinned 27*e4a36f41SAndroid Build Coastguard Worker# program when reloading the rule. 28*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search; 29*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read }; 30*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper { fs_bpf }:file write; 31*e4a36f41SAndroid Build Coastguard Workerallow netutils_wrapper bpfloader:bpf prog_run; 32*e4a36f41SAndroid Build Coastguard Worker 33*e4a36f41SAndroid Build Coastguard Worker# For /data/misc/net access to ndc and ip 34*e4a36f41SAndroid Build Coastguard Workerr_dir_file(netutils_wrapper, net_data_file) 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans({ 37*e4a36f41SAndroid Build Coastguard Worker domain 38*e4a36f41SAndroid Build Coastguard Worker -coredomain 39*e4a36f41SAndroid Build Coastguard Worker -appdomain 40*e4a36f41SAndroid Build Coastguard Worker}, netutils_wrapper_exec, netutils_wrapper) 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker### 43*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 44*e4a36f41SAndroid Build Coastguard Worker### 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Worker# suppress spurious denials 47*e4a36f41SAndroid Build Coastguard Workerdontaudit netutils_wrapper self:global_capability_class_set sys_resource; 48*e4a36f41SAndroid Build Coastguard Workerdontaudit netutils_wrapper sysfs_type:file read; 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# netutils wrapper may only use the following capabilities. 51*e4a36f41SAndroid Build Coastguard Workerneverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw }; 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Workerneverallow domain netutils_wrapper_exec:file execute_no_trans; 54