From 5f3ba92c6172e305552711bcf1c370940f6b340c Mon Sep 17 00:00:00 2001
From: Remi NGUYEN VAN <reminv@google.com>
Date: Wed, 14 Nov 2018 17:07:41 +0900
Subject: [PATCH] sepolicy changes for network stack app

The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.

Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597
---
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/compat/27.0/27.0.ignore.cil |  1 +
 private/compat/28.0/28.0.ignore.cil |  1 +
 private/network_stack.te            | 25 +++++++++++++++++++++++++
 private/seapp_contexts              |  1 +
 public/app.te                       |  4 ++--
 public/netd.te                      | 12 +++++++++---
 public/network_stack.te             |  2 ++
 8 files changed, 42 insertions(+), 5 deletions(-)
 create mode 100644 private/network_stack.te
 create mode 100644 public/network_stack.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 588c138a4..8ddefa1f4 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -121,6 +121,7 @@
     mnt_product_file
     mnt_vendor_file
     netd_stable_secret_prop
+    network_stack
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e63d2268d..994fb0727 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -109,6 +109,7 @@
     metadata_file
     mnt_product_file
     mnt_vendor_file
+    network_stack
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222f381c0..1131cbd99 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -62,6 +62,7 @@
     mediaswcodec_exec
     mediaswcodec_tmpfs
     mnt_product_file
+    network_stack
     overlayfs_file
     permissionmgr_service
     recovery_socket
diff --git a/private/network_stack.te b/private/network_stack.te
new file mode 100644
index 000000000..d250ebd04
--- /dev/null
+++ b/private/network_stack.te
@@ -0,0 +1,25 @@
+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 55391ea36..37f787284 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,6 +106,7 @@ isSystemServer=true domain=system_server_startup
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/public/app.te b/public/app.te
index 94acac754..0a5f0b4e7 100644
--- a/public/app.te
+++ b/public/app.te
@@ -358,8 +358,8 @@ allow appdomain dropbox_data_file:file { getattr read };
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability_class_set *;
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };
diff --git a/public/netd.te b/public/netd.te
index 241380b21..10f195997 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -130,14 +130,20 @@ neverallow netd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
 
-# only system_server and dumpstate may find netd service
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+    domain
+    -system_server
+    -dumpstate
+    -network_stack
+    -netd
+} netd_service:service_manager find;
 
 # only netd can create the bpf maps
 neverallow { domain -netd } netd:bpf { map_create };
 
 # apps may not interact with netd over binder.
-neverallow appdomain netd:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
 
 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
diff --git a/public/network_stack.te b/public/network_stack.te
new file mode 100644
index 000000000..feff66460
--- /dev/null
+++ b/public/network_stack.te
@@ -0,0 +1,2 @@
+# Network stack service app
+type network_stack, domain;
-- 
GitLab