Clean up socket rules.

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

bluetooth.te

@@ -20,17 +20,21 @@ allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms
 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
-allow bluetoothdomain self:socket *;
+# TODO: This should no longer be needed with bluedroid for bluetooth
+# but may be getting used for other non-bluetooth sockets that has no
+# specific class defined.  Consider taking to specific domains.
+allow bluetoothdomain self:socket create_socket_perms;
 
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
 
 # Allow clients to use a socket provided by the bluetooth app.
+# TODO:  See if this is still required under bluedroid.
 allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
 
 # tethering
-allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth self:tun_socket create_socket_perms;
 allow bluetooth efs_file:dir search;
 
 # Talk to init over the property socket.

clatd.te

@@ -19,7 +19,7 @@ allow clatd self:capability { net_admin setuid setgid };
 # TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
 allow clatd self:capability dac_override;
 
-allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:tun_socket create_socket_perms;
 allow clatd tun_device:chr_file rw_file_perms;
 allow clatd proc_net:file rw_file_perms;;

dhcp.te

@@ -9,8 +9,7 @@ net_domain(dhcp)
 allow dhcp cgroup:dir { create write add_name };
 allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms;
-allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
-allow dhcp self:rawip_socket create_socket_perms;
+allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries

dnsmasq.te

@@ -3,10 +3,9 @@ type dnsmasq, domain;
 permissive_or_unconfined(dnsmasq)
 type dnsmasq_exec, exec_type, file_type;
 
+net_domain(dnsmasq)
+
 allow dnsmasq self:capability { net_bind_service setgid setuid };
-allow dnsmasq self:tcp_socket create_socket_perms;
 
 allow dnsmasq dhcp_data_file:dir w_dir_perms;
 allow dnsmasq dhcp_data_file:file create_file_perms;
-allow dnsmasq port:tcp_socket name_bind;
-allow dnsmasq node:tcp_socket node_bind;

domain.te

@@ -16,7 +16,8 @@ allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
 allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
 
 # Inherit or receive open files from others.
 allow domain init:fd use;

drmserver.te

@@ -5,6 +5,8 @@ type drmserver_exec, exec_type, file_type;
 init_daemon_domain(drmserver)
 typeattribute drmserver mlstrustedsubject;
 
+net_domain(drmserver)
+
 # Perform Binder IPC to system server.
 binder_use(drmserver)
 binder_call(drmserver, system_server)
@@ -17,8 +19,6 @@ binder_call(drmserver, mediaserver)
 allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
-allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
 allow drmserver tee_device:chr_file rw_file_perms;
 allow drmserver platform_app_data_file:file { read write getattr };
 allow drmserver app_data_file:file { read write getattr };

dumpstate.te

@@ -47,9 +47,6 @@ allow dumpstate { appdomain system_server }:process signal;
 # This list comes from native_processes_to_dump in dumpstate/utils.c
 allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
 
-# The /system/bin/ip command needs this for routing table information.
-allow dumpstate self:netlink_route_socket { write getattr setopt };
-
 # The vdc command needs to talk to the vold socket.
 unix_socket_connect(dumpstate, vold, vold)
 

hostapd.te

@@ -3,11 +3,12 @@ type hostapd, domain;
 permissive_or_unconfined(hostapd)
 type hostapd_exec, exec_type, file_type;
 
+net_domain(hostapd)
+
 allow hostapd self:capability { net_admin net_raw setuid setgid };
 allow hostapd self:netlink_socket create_socket_perms;
-allow hostapd self:packet_socket { create write read };
-allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
-allow hostapd self:udp_socket { create ioctl };
+allow hostapd self:packet_socket create_socket_perms;
+allow hostapd self:netlink_route_socket nlmsg_write;
 
 allow hostapd wifi_data_file:file rw_file_perms;
 allow hostapd wifi_data_file:dir create_dir_perms;

logd.te

@@ -3,7 +3,6 @@ type logd, domain;
 type logd_exec, exec_type, file_type;
 
 init_daemon_domain(logd)
-allow logd self:unix_stream_socket *;
 
 allow logd self:capability { setuid setgid sys_nice };
 

mtp.te

@@ -7,10 +7,7 @@ init_daemon_domain(mtp)
 net_domain(mtp)
 
 # pptp policy
-allow mtp self:tcp_socket create_socket_perms;
 allow mtp self:socket create_socket_perms;
-allow mtp self:rawip_socket create_socket_perms;
 allow mtp self:capability net_raw;
 allow mtp ppp:process signal;
-allow mtp port:tcp_socket name_connect;
 allow mtp vpn_data_file:dir search;

net.te

@@ -13,18 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket {
-    read
-    bind
-    create
-    nlmsg_read
-    ioctl
-    getattr
-    setattr
-    getopt
-    setopt
-    shutdown
-};
+allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)

netd.te

@@ -15,11 +15,9 @@ allow netd self:capability { net_admin net_raw kill };
 # sufficient testing of the fsetid removal.
 # dontaudit netd self:capability fsetid;
 
-allow netd self:netlink_kobject_uevent_socket *;
-allow netd self:netlink_route_socket *;
-allow netd self:netlink_nflog_socket *;
-allow netd self:rawip_socket *;
-allow netd self:unix_stream_socket *;
+allow netd self:netlink_kobject_uevent_socket create_socket_perms;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;

ppp.te

@@ -5,10 +5,11 @@ type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 domain_auto_trans(mtp, ppp_exec, ppp)
 
+net_domain(ppp)
+
 allow ppp mtp:socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
-allow ppp self:udp_socket create_socket_perms;
 allow ppp system_file:file rx_file_perms;
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;

racoon.te

@@ -6,17 +6,17 @@ type racoon_exec, exec_type, file_type;
 init_daemon_domain(racoon)
 typeattribute racoon mlstrustedsubject;
 
+net_domain(racoon)
+
 binder_call(racoon, servicemanager)
 binder_call(racoon, keystore)
 
 allow racoon tun_device:chr_file r_file_perms;
 allow racoon cgroup:dir { add_name create };
 allow racoon kernel:system module_request;
-allow racoon port:udp_socket name_bind;
-allow racoon node:udp_socket node_bind;
 
-allow racoon self:{ key_socket udp_socket } create_socket_perms;
-allow racoon self:tun_socket create;
+allow racoon self:key_socket create_socket_perms;
+allow racoon self:tun_socket create_socket_perms;
 allow racoon self:capability { net_admin net_bind_service net_raw setuid };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)

rild.te

@@ -5,7 +5,7 @@ type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
 net_domain(rild)
-allow rild self:netlink_route_socket { setopt write };
+allow rild self:netlink_route_socket nlmsg_write;
 allow rild kernel:system module_request;
 unix_socket_connect(rild, property, init)
 unix_socket_connect(rild, qemud, qemud)
@@ -38,10 +38,9 @@ allow rild gps_device:chr_file rw_file_perms;
 
 allow rild tty_device:chr_file rw_file_perms;
 
-# Allow rild to create, bind, read, write to itself through a netlink socket
-allow rild self:netlink_socket { create bind read write };
-
-allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
+# Allow rild to create and use netlink sockets.
+allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Access to wake locks
 allow rild sysfs_wake_lock:file rw_file_perms;

surfaceflinger.te

@@ -28,7 +28,7 @@ allow surfaceflinger video_device:dir r_dir_perms;
 allow surfaceflinger video_device:chr_file rw_file_perms;
 
 # Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket *;
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Set properties.
 allow surfaceflinger system_prop:property_service set;

system_server.te

@@ -21,10 +21,6 @@ allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
 
-# Needed to close the zygote socket, which involves getopt / getattr
-# This should be deleted after b/12061011 is fixed
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 bluetooth_domain(system_server)
@@ -54,7 +50,7 @@ dontaudit system_server self:capability sys_ptrace;
 allow system_server kernel:system module_request;
 
 # Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket *;
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
@@ -75,10 +71,10 @@ allow system_server qtaguid_device:chr_file rw_file_perms;
 allow system_server debugfs:file r_file_perms;
 
 # WifiWatchdog uses a packet_socket
-allow system_server self:packet_socket *;
+allow system_server self:packet_socket create_socket_perms;
 
 # 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create;
+allow system_server self:tun_socket create_socket_perms;
 
 # Notify init of death.
 allow system_server init:process sigchld;

tee.te

@@ -11,4 +11,4 @@ allow tee self:capability { dac_override };
 allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket { create bind read };
+allow tee self:netlink_socket create_socket_perms;

ueventd.te

@@ -19,6 +19,6 @@ allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;

vold.te

@@ -19,7 +19,7 @@ allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
 allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket *;
+allow vold self:netlink_kobject_uevent_socket create_socket_perms;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
 allow vold loop_device:blk_file rw_file_perms;