From 85708ec4f91fd70b215dc69e00b80e0e7a7d4686 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 24 Feb 2014 10:48:03 -0500
Subject: [PATCH] Resolve overlapping rules between app.te and net.te.

There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te          | 25 -------------------------
 bluetooth.te    |  1 +
 global_macros   |  2 ++
 isolated_app.te |  1 +
 net.te          | 18 +++++++++++++++---
 nfc.te          |  1 +
 system_app.te   |  1 +
 7 files changed, 21 insertions(+), 28 deletions(-)

diff --git a/app.te b/app.te
index cb6ecbc4e..53349140e 100644
--- a/app.te
+++ b/app.te
@@ -113,37 +113,12 @@ allow appdomain system_data_file:lnk_file getattr;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
 
-# Allow applications to communicate with netd via /dev/socket/dnsproxyd
-# to do DNS resolution
-unix_socket_connect(appdomain, dnsproxyd, netd)
-
 # Allow applications to communicate with drmserver over binder
 binder_call(appdomain, drmserver)
 
 # Allow applications to communicate with mediaserver over binder
 binder_call(appdomain, mediaserver)
 
-# Allow applications to make outbound tcp connections to any port
-allow appdomain port_type:tcp_socket name_connect;
-
-# Allow apps to see changes to the routing table.
-allow appdomain self:netlink_route_socket {
-    read
-    bind
-    create
-    nlmsg_read
-    ioctl
-    getattr
-    setattr
-    getopt
-    setopt
-    shutdown
-};
-
-# Allow apps to use rawip sockets. This is needed for apps which execute
-# /system/bin/ping, for example.
-allow appdomain self:rawip_socket create_socket_perms;
-
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
diff --git a/bluetooth.te b/bluetooth.te
index 81c229848..d1fed20e6 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,6 +1,7 @@
 # bluetooth subsystem
 type bluetooth, domain;
 app_domain(bluetooth)
+net_domain(bluetooth)
 
 # Data file accesses.
 allow bluetooth bluetooth_data_file:dir create_dir_perms;
diff --git a/global_macros b/global_macros
index 2f9b4fa6b..b4a934d6e 100644
--- a/global_macros
+++ b/global_macros
@@ -43,3 +43,5 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
 # Common socket permission sets.
 define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
 define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/isolated_app.te b/isolated_app.te
index f1ddb37c9..7e51d309c 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -11,6 +11,7 @@
 
 type isolated_app, domain;
 app_domain(isolated_app)
+net_domain(isolated_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
diff --git a/net.te b/net.te
index 32b9fb747..c67f456fd 100644
--- a/net.te
+++ b/net.te
@@ -4,15 +4,27 @@ type netif, netif_type;
 type port, port_type;
 
 # Use network sockets.
-allow netdomain self:{ tcp_socket udp_socket } *;
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
 allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
-# Get route information.
-allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket {
+    read
+    bind
+    create
+    nlmsg_read
+    ioctl
+    getattr
+    setattr
+    getopt
+    setopt
+    shutdown
+};
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/nfc.te b/nfc.te
index d0e4d83fd..0522c52a9 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,6 +1,7 @@
 # nfc subsystem
 type nfc, domain;
 app_domain(nfc)
+net_domain(nfc)
 binder_service(nfc)
 
 # NFC device access.
diff --git a/system_app.te b/system_app.te
index 4f5492cff..702c55635 100644
--- a/system_app.te
+++ b/system_app.te
@@ -6,6 +6,7 @@
 type system_app, domain;
 permissive_or_unconfined(system_app)
 app_domain(system_app)
+net_domain(system_app)
 binder_service(system_app)
 
 # Perform binder IPC to any app domain.
-- 
GitLab