diff options
author | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2014-11-07 14:13:41 -0700 |
---|---|---|
committer | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2014-11-07 14:13:41 -0700 |
commit | 4ac88c68aa5d770351a58b7864d4f0d3c8346e77 (patch) | |
tree | b898402849093dc63e62dc17b17fb77402c0e93d /common | |
parent | e98f0433476f1734872a93f2f31bcaabf0b2a0eb (diff) | |
download | android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.tar.gz android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.tar.bz2 android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.zip |
netmgrd: allow communication with connectivity framework
Fix the following denials
Allow communication with cnd sockets
[ 22.806091] type=1400 audit(1415054892.584:18): avc: denied { write }
for pid=1317 comm="netmgrd" name="cnd" dev="tmpfs" ino=8381
scontext=u:r:netmgrd:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file
[ 22.316132] type=1400 audit(1415053588.674:56): avc: denied
{ connectto } for pid=1321 comm="netmgrd" path="/dev/socket/cnd"
scontext=u:r:netmgrd:s0 tcontext=u:r:cnd:s0 tclass=unix_stream_socket
Allow operations on netlink xfrm sockets
[ 20.794160] type=1400 audit(1415053541.505:16): avc: denied
{ setopt } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket
[ 20.794450] type=1400 audit(1415053541.505:17): avc: denied
{ getattr } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket
[ 20.794528] type=1400 audit(1415053541.505:18): avc: denied
{ write } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket
[ 20.794602] type=1400 audit(1415053541.505:19): avc: denied
{ nlmsg_write } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket
[ 20.794688] type=1400 audit(1415053541.505:20): avc: denied
{ read } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket
Allow operations on netd and its resources
[ 20.827567] type=1400 audit(1415053541.545:21): avc: denied { read }
for pid=1166 comm="ip" name="rt_tables" dev="mmcblk0p13" ino=268
scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file
[ 20.827802] type=1400 audit(1415053541.545:22): avc: denied { open }
for pid=1166 comm="ip" name="rt_tables" dev="mmcblk0p13" ino=268
scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file
[ 20.827915] type=1400 audit(1415053541.545:23): avc: denied { getattr
}for pid=1166 comm="ip" path="/data/misc/net/rt_tables" dev="mmcblk0p13"
ino=268 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0
tclass=file
[ 21.480717] type=1400 audit(1415053542.195:24): avc: denied { getattr
} for pid=1259 comm="sh" path="/system/bin/ndc" dev="mmcblk0p12" ino=444
scontext=u:r:netmgrd:s0 tcontext=u:object_r:wpa_exec:s0 tclass=file
[ 21.481188] type=1400 audit(1415053542.195:25): avc: denied { execute
} for pid=1259 comm="sh" name="ndc" dev="mmcblk0p12" ino=444
scontext=u:r:netmgrd:s0 tcontext=u:object_r:wpa_exec:s0 tclass=file
[ 21.482377] type=1400 audit(1415053542.195:26): avc: denied { read
open } for pid=1260 comm="sh" name="ndc" dev="mmcblk0p12" ino=444
scontext=u:r:netmgrd:s0 tcontext=u:object_r:wpa_exec:s0 tclass=file
[ 21.482614] type=1400 audit(1415053542.195:27): avc: denied
{ execute_no_trans } for pid=1260 comm="sh" path="/system/bin/ndc"
dev="mmcblk0p12" ino=444 scontext=u:r:netmgrd:s0
tcontext=u:object_r:wpa_exec:s0 tclass=file
avc: denied { search } for pid=1168 comm="ip" name="net" dev="mmcblk0p34"
ino=210 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0
tclass=dir permissive=0
CRs-Fixed: 748457
Change-Id: Ie1044b498002602354b28f3c2e36bf1c9ee64e15
Diffstat (limited to 'common')
-rw-r--r-- | common/netmgrd.te | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/common/netmgrd.te b/common/netmgrd.te index 2d6bd052..5cec0397 100644 --- a/common/netmgrd.te +++ b/common/netmgrd.te @@ -23,13 +23,15 @@ allow netmgrd smem_log_device:chr_file { rw_file_perms }; #Allow operations on different types of sockets allow netmgrd netmgrd:rawip_socket { create getopt setopt write }; -allow netmgrd netmgrd:netlink_xfrm_socket { create bind }; +allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read }; allow netmgrd netmgrd:netlink_socket { write read create bind }; allow netmgrd netmgrd:socket { create ioctl }; allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write }; allow netmgrd init:unix_stream_socket { connectto }; allow netmgrd property_socket:sock_file write; +unix_socket_connect(netmgrd, cnd, cnd); + qmux_socket(netmgrd); #Allow writing of ipv6 network properties @@ -49,6 +51,9 @@ allow netmgrd sysfs_esoc:dir r_dir_perms; #Allow communication with netd allow netmgrd netd_socket:sock_file write; +allow netmgrd net_data_file:file r_file_perms; +allow netmgrd wpa_exec:file rx_file_perms; +allow netmgrd net_data_file:dir r_dir_perms; #Allow nemtgrd to use esoc api's to determine target allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans }; |