From 937f256b2ddea5c69fde10b0f7758905006a008d Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 11 Jan 2019 15:24:35 -0800
Subject: [PATCH] netdomain: move to public policy

Vendor domains may use net_domain() so it should be moved to public
policy. This will allow removal of permissions such as rawip_socket
in future releases without breaking Treble compatiblity.

Bug: 122572608
Test: build
Change-Id: Id84feb11587d305334cd9dbbc6e4f6f71ffff6f2
---
 private/net.te | 25 -------------------------
 public/net.te  | 28 +++++++++++++++++++++++++++-
 2 files changed, 27 insertions(+), 26 deletions(-)
 delete mode 100644 private/net.te

diff --git a/private/net.te b/private/net.te
deleted file mode 100644
index 2e6ced377..000000000
--- a/private/net.te
+++ /dev/null
@@ -1,25 +0,0 @@
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/net.te b/public/net.te
index 7e00ed845..5867d67f5 100644
--- a/public/net.te
+++ b/public/net.te
@@ -1,4 +1,30 @@
-# Network types
+## Network types
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
+
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
-- 
GitLab