From 24dcc8b1ce38079cba9c0266389f88699cae88c7 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 18 Feb 2016 23:55:51 +0900
Subject: [PATCH] Allow the framework to communicate with netd via a binder
 service

This will allow us to provide a better interface between Java
services (e.g., ConnectivityService) and netd than the current
FrameworkListener / NativeDaemonConnector interface which uses
text strings over a Unix socket.

Bug: 27239233
Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
---
 netd.te          | 9 +++++++++
 service.te       | 1 +
 service_contexts | 1 +
 system_server.te | 2 ++
 4 files changed, 13 insertions(+)

diff --git a/netd.te b/netd.te
index 2c0fb15ce..e187c1c60 100644
--- a/netd.te
+++ b/netd.te
@@ -64,10 +64,19 @@ allow netd clatd:process signal;
 
 set_prop(netd, ctl_mdnsd_prop)
 
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+binder_service(netd)
+allow netd netd_service:service_manager add;
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
 allow netd netdomain:fd use;
 
+
 ###
 ### Neverallow rules
 ###
diff --git a/service.te b/service.te
index 34bd50a95..0e6046a0f 100644
--- a/service.te
+++ b/service.te
@@ -12,6 +12,7 @@ type mediaserver_service,       service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
+type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
diff --git a/service_contexts b/service_contexts
index 39e004c3a..c9be473ec 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,6 +2,7 @@ accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
+android.net.INetd                         u:object_r:netd_service:s0
 android.os.UpdateEngineService            u:object_r:update_engine_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
diff --git a/system_server.te b/system_server.te
index 2e131b34f..b38ea007a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -136,6 +136,7 @@ binder_call(system_server, gatekeeperd)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, { appdomain autoplay_app })
 binder_call(system_server, dumpstate)
+binder_call(system_server, netd)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
@@ -396,6 +397,7 @@ allow system_server mediaserver_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
-- 
GitLab