Improve netmgrd selinux policy.
Addressed the following denials.
* Capability to change (uid,gid) to (radio,radio). netmgrd
initially runs as (root,radio).
denied { setgid } for pid=181 comm="netmgrd" capability=6 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability
denied { setuid } for pid=181 comm="netmgrd" capability=7 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability
* Access diagnostic loggers
denied { read write } for pid=181 comm="netmgrd" name="diag" dev="tmpfs" ino=6256 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
denied { open } for pid=181 comm="netmgrd" name="diag" dev="tmpfs" ino=6256 scontext=u:r:netmgrd:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
* Talk to qmuxd
denied { write } for pid=181 comm="netmgrd" name="qmux_radio" dev="tmpfs" ino=6586 scontext=u:r:netmgrd:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
denied { write } for pid=181 comm="netmgrd" name="qmux_connect_socket" dev="tmpfs" ino=7590 scontext=u:r:netmgrd:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
denied { connectto } for pid=181 comm="netmgrd" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:netmgrd:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket
denied { net_admin } for pid=181 comm="netmgrd" capability=12 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability
* Don't allow access to shell to execute toolbox commands. netmgrd tries
to access /data/data_test/ with toolbox but data_test directory doesn't
exist (never created anywhere). So, don't allow any access.
denied { execute } for pid=542 comm="netmgrd" name="sh" dev="mmcblk0p21" ino=271 scontext=u:r:netmgrd:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { read open } for pid=542 comm="netmgrd" name="sh" dev="mmcblk0p21" ino=271 scontext=u:r:netmgrd:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=542 comm="netmgrd" path="/system/bin/sh" dev="mmcblk0p21" ino=271 scontext=u:r:netmgrd:s0 tcontext=u:object_r:shell_exec:s0 tclass=file
denied { execute_no_trans } for pid=542 comm="sh" path="/system/bin/toolbox" dev="mmcblk0p21" ino=286 scontext=u:r:netmgrd:s0 tcontext=u:object_r:system_file:s0 tclass=file
* Don't allow netmgrd to load kernel modules.
denied { sys_module } for pid=181 comm="netmgrd" capability=16 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=capability
* Allow raw socket creation. Not sure if this is really needed
but just allow creation of the socket along with the
capability (process seems to not run correctly unless
it can create the socket).
denied { net_raw } for pid=181 comm="netmgrd" capability=13 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0tclass=capability
denied { create } for pid=182 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=udp_socket
denied { ioctl } for pid=182 comm="netmgrd" path="socket:[7986]" dev="sockfs" ino=7986 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=udp_socket
* Allow netlink socket creation.
denied { create } for pid=181 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_route_socket
denied { bind } for pid=181 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_route_socket
denied { create } for pid=181 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_socket
denied { bind } for pid=181 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_socket
denied { read } for pid=562 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_socket
denied { write } for pid=562 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_socket
Run the netmgrd service with group radio to
avoid dac_override denials with the qmux socket
and access to /dev/diag.
Change-Id: Ie34ce5c1845db3afcbaeee441018a9b8c56de295
2 files changed