netmgrd: allow communication with connectivity framework

Fix the following denials Allow communication with cnd sockets [ 22.806091] type=1400 audit(1415054892.584:18): avc: denied { write } for pid=1317 comm="netmgrd" name="cnd" dev="tmpfs" ino=8381 scontext=u:r:netmgrd:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file [ 22.316132] type=1400 audit(1415053588.674:56): avc: denied { connectto } for pid=1321 comm="netmgrd" path="/dev/socket/cnd" scontext=u:r:netmgrd:s0 tcontext=u:r:cnd:s0 tclass=unix_stream_socket Allow operations on netlink xfrm sockets [ 20.794160] type=1400 audit(1415053541.505:16): avc: denied { setopt } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket [ 20.794450] type=1400 audit(1415053541.505:17): avc: denied { getattr } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket [ 20.794528] type=1400 audit(1415053541.505:18): avc: denied { write } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket [ 20.794602] type=1400 audit(1415053541.505:19): avc: denied { nlmsg_write } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket [ 20.794688] type=1400 audit(1415053541.505:20): avc: denied { read } for pid=1162 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket Allow operations on netd and its resources [ 20.827567] type=1400 audit(1415053541.545:21): avc: denied { read } for pid=1166 comm="ip" name="rt_tables" dev="mmcblk0p13" ino=268 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file [ 20.827802] type=1400 audit(1415053541.545:22): avc: denied { open } for pid=1166 comm="ip" name="rt_tables" dev="mmcblk0p13" ino=268 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file [ 20.827915] type=1400 audit(1415053541.545:23): avc: denied { getattr }for pid=1166 comm="ip" path="/data/misc/net/rt_tables" dev="mmcblk0p13" ino=268 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file [ 21.480717] type=1400 audit(1415053542.195:24): avc: denied { getattr } for pid=1259 comm="sh" path="/system/bin/ndc" dev="mmcblk0p12" ino=444 scontext=u:r:netmgrd:s0 tcontext=u:object_r:wpa_exec:s0 tclass=file [ 21.481188] type=1400 audit(1415053542.195:25): avc: denied { execute } for pid=1259 comm="sh" name="ndc" dev="mmcblk0p12" ino=444 scontext=u:r:netmgrd:s0 tcontext=u:object_r:wpa_exec:s0 tclass=file [ 21.482377] type=1400 audit(1415053542.195:26): avc: denied { read open } for pid=1260 comm="sh" name="ndc" dev="mmcblk0p12" ino=444 scontext=u:r:netmgrd:s0 tcontext=u:object_r:wpa_exec:s0 tclass=file [ 21.482614] type=1400 audit(1415053542.195:27): avc: denied { execute_no_trans } for pid=1260 comm="sh" path="/system/bin/ndc" dev="mmcblk0p12" ino=444 scontext=u:r:netmgrd:s0 tcontext=u:object_r:wpa_exec:s0 tclass=file avc: denied { search } for pid=1168 comm="ip" name="net" dev="mmcblk0p34" ino=210 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=dir permissive=0 CRs-Fixed: 748457 Change-Id: Ie1044b498002602354b28f3c2e36bf1c9ee64e15
author: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> 2014-11-07 14:13:41 -0700
committer: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> 2014-11-07 14:13:41 -0700
commit: 4ac88c68aa5d770351a58b7864d4f0d3c8346e77 (patch)
tree: b898402849093dc63e62dc17b17fb77402c0e93d /common
parent: e98f0433476f1734872a93f2f31bcaabf0b2a0eb (diff)
download: android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.tar.gz
android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.tar.bz2
android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/common/netmgrd.te b/common/netmgrd.te
index 2d6bd052..5cec0397 100644
--- a/common/netmgrd.te
+++ b/common/netmgrd.te
@@ -23,13 +23,15 @@ allow netmgrd smem_log_device:chr_file { rw_file_perms };
 
 #Allow operations on different types of sockets
 allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
-allow netmgrd netmgrd:netlink_xfrm_socket { create bind };
+allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read };
 allow netmgrd netmgrd:netlink_socket { write read create bind };
 allow netmgrd netmgrd:socket { create ioctl };
 allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
 allow netmgrd init:unix_stream_socket { connectto };
 allow netmgrd property_socket:sock_file write;
 
+unix_socket_connect(netmgrd, cnd, cnd);
+
 qmux_socket(netmgrd);
 
 #Allow writing of ipv6 network properties
@@ -49,6 +51,9 @@ allow netmgrd sysfs_esoc:dir r_dir_perms;
 
 #Allow communication with netd
 allow netmgrd netd_socket:sock_file write;
+allow netmgrd net_data_file:file r_file_perms;
+allow netmgrd wpa_exec:file rx_file_perms;
+allow netmgrd net_data_file:dir r_dir_perms;
 
 #Allow nemtgrd to use esoc api's to determine target
 allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans };
author	Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>	2014-11-07 14:13:41 -0700
committer	Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>	2014-11-07 14:13:41 -0700
commit	4ac88c68aa5d770351a58b7864d4f0d3c8346e77 (patch)
tree	b898402849093dc63e62dc17b17fb77402c0e93d /common
parent	e98f0433476f1734872a93f2f31bcaabf0b2a0eb (diff)
download	android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.tar.gz android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.tar.bz2 android_device_qcom_sepolicy-4ac88c68aa5d770351a58b7864d4f0d3c8346e77.zip