public/netd.te - platform/system/sepolicy - Git at Google

 # network manager
 type netd, domain, domain_deprecated, mlstrustedsubject;
 type netd_exec, exec_type, file_type;

 net_domain(netd)
 # in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;

 r_dir_file(netd, cgroup)
 allow netd system_server:fd use;

 allow netd self:capability { net_admin net_raw kill };
 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other
 # than one of the groups assigned to the current process to see if
 # the setgid bit should be cleared, regardless of whether the setgid
 # bit was even set.  We do not appear to truly need this capability
 # for netd to operate.
 dontaudit netd self:capability fsetid;

 allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_route_socket nlmsg_write;
 allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
 allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;

 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;

 # Enables PppController and interface enumeration (among others)
 r_dir_file(netd, sysfs_type)
 # Allows setting interface MTU
 allow netd sysfs:file write;

 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;

 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
 #       Why?
 allow netd self:capability { dac_override chown };

 # Needed to update /data/misc/net/rt_tables
 allow netd net_data_file:file create_file_perms;
 allow netd net_data_file:dir rw_dir_perms;
 allow netd self:capability fowner;

 # Allow netd to spawn dnsmasq in it's own domain
 allow netd dnsmasq:process signal;

 # Allow netd to start clatd in its own domain
 allow netd clatd:process signal;

 set_prop(netd, ctl_mdnsd_prop)

 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
 allow netd netd_service:service_manager add;
 allow netd dumpstate:fifo_file  { getattr write };

 # Allow netd to call into the system server so it can check permissions.
 allow netd system_server:binder call;
 allow netd permission_service:service_manager find;

 # Allow netd to talk to the framework service which collects netd events.
 allow netd netd_listener_service:service_manager find;

 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
 allow netd netdomain:fd use;

 ###
 ### Neverallow rules
 ###
 ### netd should NEVER do any of this

 # Block device access.
 neverallow netd dev_type:blk_file { read write };

 # ptrace any other app
 neverallow netd { domain }:process ptrace;

 # Write to /system.
 neverallow netd system_file:dir_file_class_set write;

 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;

 # only system_server and dumpstate may interact with netd over binder
 neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
 neverallow { domain -system_server -dumpstate } netd:binder call;
 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
	# network manager
	type netd, domain, domain_deprecated, mlstrustedsubject;
	type netd_exec, exec_type, file_type;

	net_domain(netd)
	# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
	allowxperm netd self:udp_socket ioctl priv_sock_ioctls;

	r_dir_file(netd, cgroup)
	allow netd system_server:fd use;

	allow netd self:capability { net_admin net_raw kill };
	# Note: fsetid is deliberately not included above. fsetid checks are
	# triggered by chmod on a directory or file owned by a group other
	# than one of the groups assigned to the current process to see if
	# the setgid bit should be cleared, regardless of whether the setgid
	# bit was even set. We do not appear to truly need this capability
	# for netd to operate.
	dontaudit netd self:capability fsetid;

	allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
	allow netd self:netlink_route_socket nlmsg_write;
	allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
	allow netd self:netlink_socket create_socket_perms_no_ioctl;
	allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
	allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
	allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
	allow netd shell_exec:file rx_file_perms;
	allow netd system_file:file x_file_perms;
	allow netd devpts:chr_file rw_file_perms;

	# For /proc/sys/net/ipv[46]/route/flush.
	allow netd proc_net:file rw_file_perms;

	# Enables PppController and interface enumeration (among others)
	r_dir_file(netd, sysfs_type)
	# Allows setting interface MTU
	allow netd sysfs:file write;

	# TODO: added to match above sysfs rule. Remove me?
	allow netd sysfs_usb:file write;

	# TODO: netd previously thought it needed these permissions to do WiFi related
	# work. However, after all the WiFi stuff is gone, we still need them.
	# Why?
	allow netd self:capability { dac_override chown };

	# Needed to update /data/misc/net/rt_tables
	allow netd net_data_file:file create_file_perms;
	allow netd net_data_file:dir rw_dir_perms;
	allow netd self:capability fowner;

	# Allow netd to spawn dnsmasq in it's own domain
	allow netd dnsmasq:process signal;

	# Allow netd to start clatd in its own domain
	allow netd clatd:process signal;

	set_prop(netd, ctl_mdnsd_prop)

	# Allow netd to publish a binder service and make binder calls.
	binder_use(netd)
	allow netd netd_service:service_manager add;
	allow netd dumpstate:fifo_file { getattr write };

	# Allow netd to call into the system server so it can check permissions.
	allow netd system_server:binder call;
	allow netd permission_service:service_manager find;

	# Allow netd to talk to the framework service which collects netd events.
	allow netd netd_listener_service:service_manager find;

	# Allow netd to operate on sockets that are passed to it.
	allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
	allow netd netdomain:fd use;

	###
	### Neverallow rules
	###
	### netd should NEVER do any of this

	# Block device access.
	neverallow netd dev_type:blk_file { read write };

	# ptrace any other app
	neverallow netd { domain }:process ptrace;

	# Write to /system.
	neverallow netd system_file:dir_file_class_set write;

	# Write to files in /data/data or system files on /data
	neverallow netd { app_data_file system_data_file }:dir_file_class_set write;

	# only system_server and dumpstate may interact with netd over binder
	neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
	neverallow { domain -system_server -dumpstate } netd:binder call;
	neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;