From 9b3c3661ff6a6f82a24aada7c614a0e116547cef Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 24 Feb 2014 13:04:49 -0500
Subject: [PATCH] Add a domain for mdnsd and allow connecting to it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 96ff4c053a238e04373fcc1f11d769418e8ce238)

Change-Id: Idfd734f07687925c1f35d2629d4b59d46822d0d4
---
 file.te       | 1 +
 file_contexts | 2 ++
 mdnsd.te      | 7 +++++++
 net.te        | 3 +++
 netd.te       | 1 -
 5 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 mdnsd.te

diff --git a/file.te b/file.te
index e255ae949..6431c2cbc 100644
--- a/file.te
+++ b/file.te
@@ -109,6 +109,7 @@ type installd_socket, file_type;
 type keystore_socket, file_type;
 type lmkd_socket, file_type;
 type mdns_socket, file_type;
+type mdnsd_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
 type qemud_socket, file_type;
diff --git a/file_contexts b/file_contexts
index f593f6db0..a6b193b8e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -82,6 +82,7 @@
 /dev/socket/keystore	u:object_r:keystore_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
+/dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/qemud	u:object_r:qemud_socket:s0
@@ -126,6 +127,7 @@
 /system/bin/netd	u:object_r:netd_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
diff --git a/mdnsd.te b/mdnsd.te
new file mode 100644
index 000000000..cfcf87341
--- /dev/null
+++ b/mdnsd.te
@@ -0,0 +1,7 @@
+# mdns daemon
+type mdnsd, domain;
+permissive_or_unconfined(mdnsd)
+type mdnsd_exec, exec_type, file_type;
+
+init_daemon_domain(mdnsd)
+net_domain(mdnsd)
diff --git a/net.te b/net.te
index b10cecdaa..32b9fb747 100644
--- a/net.te
+++ b/net.te
@@ -16,3 +16,6 @@ allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/netd.te b/netd.te
index f8c9ffbbc..4ab3613cc 100644
--- a/netd.te
+++ b/netd.te
@@ -52,7 +52,6 @@ allow netd clatd:process signal;
 # Support netd running mdnsd
 # TODO: prune this back further
 allow netd ctl_default_prop:property_service set;
-allow netd device:sock_file write;
 
 ###
 ### Neverallow rules
-- 
GitLab