From 07c650ebf2475a8ad1ca007dac8b3d6cddf82d6c Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 26 Jul 2017 12:53:21 -0700
Subject: [PATCH] netd: relax binder neverallow rules for hwservices

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
---
 public/netd.te | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/public/netd.te b/public/netd.te
index 2d72eeb33..9854f63bf 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -104,10 +104,12 @@ neverallow netd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
 
-# only system_server, dumpstate and netd  may interact with netd over binder
+# only system_server and dumpstate may find netd service
 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } netd:binder call;
-neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+# apps may not interact with netd over binder.
+neverallow appdomain netd:binder call;
+neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
 
 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
 # leaked to other processes. Make sure it never leaks.
-- 
GitLab