Merge "sepolicy changes for network stack app"

private/compat/26.0/26.0.ignore.cil

@@ -121,6 +121,7 @@
     mnt_product_file
     mnt_vendor_file
     netd_stable_secret_prop
+    network_stack
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file

private/compat/27.0/27.0.ignore.cil

@@ -109,6 +109,7 @@
     metadata_file
     mnt_product_file
     mnt_vendor_file
+    network_stack
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file

private/compat/28.0/28.0.ignore.cil

@@ -62,6 +62,7 @@
     mediaswcodec_exec
     mediaswcodec_tmpfs
     mnt_product_file
+    network_stack
     overlayfs_file
     permissionmgr_service
     recovery_socket

private/network_stack.te

+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);

private/seapp_contexts

@@ -106,6 +106,7 @@ isSystemServer=true domain=system_server_startup
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file

public/app.te

@@ -358,8 +358,8 @@ allow appdomain dropbox_data_file:file { getattr read };
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability_class_set *;
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };

public/netd.te

@@ -130,14 +130,20 @@ neverallow netd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
 
-# only system_server and dumpstate may find netd service
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+    domain
+    -system_server
+    -dumpstate
+    -network_stack
+    -netd
+} netd_service:service_manager find;
 
 # only netd can create the bpf maps
 neverallow { domain -netd } netd:bpf { map_create };
 
 # apps may not interact with netd over binder.
-neverallow appdomain netd:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
 
 # persist.netd.stable_secret contains RFC 7217 secret key which should never be

public/network_stack.te

+# Network stack service app
+type network_stack, domain;