Lines Matching refs:netd
1 typeattribute netd coredomain;
2 typeattribute netd bpfdomain;
4 init_daemon_domain(netd)
6 # Allow netd to spawn dnsmasq in it's own domain
7 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
9 allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
10 allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
11 allow netd { fs_bpf fs_bpf_netd_shared }:file write;
13 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
15 allow netd bpfloader:bpf prog_run;
16 allow netd self:bpf map_create;
17 allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
21 # TODO: Remove this after we remove all bpf interactions from netd.
22 allow netd self:key_socket create;
24 set_prop(netd, ctl_mdnsd_prop)
25 set_prop(netd, netd_stable_secret_prop)
27 get_prop(netd, adbd_config_prop)
28 get_prop(netd, hwservicemanager_prop)
29 get_prop(netd, device_config_netd_native_prop)
31 # Allow netd to write to statsd.
32 unix_socket_send(netd, statsdw, statsd)
34 # Allow netd to send callbacks to network_stack
35 binder_call(netd, network_stack)
37 # Allow netd to send dump info to dumpstate
38 allow netd dumpstate:fd use;
39 allow netd dumpstate:fifo_file { getattr write };
41 net_domain(netd)
43 unix_socket_connect(netd, mdnsd, mdnsd)
44 # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
45 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
47 r_dir_file(netd, cgroup)
49 allow netd system_server:fd use;
51 allow netd self:global_capability_class_set { net_admin net_raw kill };
57 # for netd to operate.
58 dontaudit netd self:global_capability_class_set fsetid;
60 # Allow netd to open /dev/tun, set it up and pass it to clatd
61 allow netd tun_device:chr_file rw_file_perms;
62 allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
63 allow netd self:tun_socket create;
65 allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
66 allow netd self:netlink_route_socket nlmsg_write;
67 allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
68 allow netd self:netlink_socket create_socket_perms_no_ioctl;
69 allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
70 allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
71 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
72 allow netd shell_exec:file rx_file_perms;
73 allow netd system_file:file x_file_perms;
74 not_full_treble(`allow netd vendor_file:file x_file_perms;')
75 allow netd devpts:chr_file rw_file_perms;
79 allow netd system_file:file lock;
80 dontaudit netd system_file:dir write;
82 r_dir_file(netd, proc_net_type)
84 allow netd proc_net_type:file rw_file_perms;
87 allow netd sysfs:dir r_dir_perms;
88 r_dir_file(netd, sysfs_net)
91 allow netd sysfs_net:file w_file_perms;
94 allow netd sysfs_usb:file write;
96 r_dir_file(netd, cgroup_v2)
98 # TODO: netd previously thought it needed these permissions to do WiFi related
101 allow netd self:global_capability_class_set { dac_override dac_read_search chown };
104 allow netd net_data_file:file create_file_perms;
105 allow netd net_data_file:dir rw_dir_perms;
106 allow netd self:global_capability_class_set fowner;
109 allow netd system_file:file lock;
111 # Allow netd to spawn dnsmasq in it's own domain
112 allow netd dnsmasq:process { sigkill signal };
114 # Allow netd to publish a binder service and make binder calls.
115 binder_use(netd)
116 add_service(netd, netd_service)
117 add_service(netd, dnsresolver_service)
118 add_service(netd, mdns_service)
119 allow netd dumpstate:fifo_file { getattr write };
121 # Allow netd to call into the system server so it can check permissions.
122 allow netd system_server:binder call;
123 allow netd permission_service:service_manager find;
125 # Allow netd to talk to the framework service which collects netd events.
126 allow netd netd_listener_service:service_manager find;
128 # Allow netd to operate on sockets that are passed to it.
129 allow netd netdomain:{
136 allow netd netdomain:fd use;
138 # give netd permission to read and write netlink xfrm
139 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
141 # Allow netd to register as hal server.
142 add_hwservice(netd, system_net_netd_hwservice)
143 hwbinder_use(netd)
147 add_service(netd, system_net_netd_service)
152 ### netd should NEVER do any of this
155 neverallow netd dev_type:blk_file { read write };
158 neverallow netd { domain }:process ptrace;
161 neverallow netd system_file_type:dir_file_class_set write;
164 neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
166 # only system_server, dumpstate and network stack app may find netd service
172 -netd
182 -netd
192 -netd
196 # apps may not interact with netd over binder.
197 neverallow { appdomain -network_stack } netd:binder call;
198 neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
203 neverallow netd proc_net:dir no_w_dir_perms;
204 dontaudit netd proc_net:dir write;
206 neverallow netd sysfs_net:dir no_w_dir_perms;
207 dontaudit netd sysfs_net:dir write;
210 neverallow netd self:capability sys_admin;
211 dontaudit netd self:capability sys_admin;
215 dontaudit netd self:capability sys_module;
217 dontaudit netd appdomain:unix_stream_socket { read write };
219 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
221 neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
223 # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
224 # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
225 neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;