netd: relax binder neverallow rules for hwservices

Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Merged-In: I8e558ea1add6c36b966ec1da204062ea82df3f3f Change-Id: I063df6dded94d8b0f5214b2c94c4f46bdafb03d7

netd: relax binder neverallow rules for hwservices
Relax neverallow rule restricting binder access to/from netd so that netd can export hwbinder services to vendor components. Continue to disallow app access to netd via binder. Bug: 36682246 Test: build Merged-In: I8e558ea1add6c36b966ec1da204062ea82df3f3f Change-Id: I063df6dded94d8b0f5214b2c94c4f46bdafb03d7
faaf86bc · Jeff Vander Stoep · c75aa50d · faaf86bc
Commit faaf86bc authored 7 years ago by Jeff Vander Stoep
--- a/public/netd.te
+++ b/public/netd.te
@@ -104,7 +104,9 @@ neverallow netd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;

-# only system_server, dumpstate and netd  may interact with netd over binder
+# only system_server and dumpstate may find netd service
 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } netd:binder call;
-neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+neverallow appdomain netd:binder call;
+neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
+