Introduce fwmarkd: a service to set the fwmark of sockets.

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
mozilla-b2g · May 14, 2014 · f74d781 · f74d781
1 parent f1f467f
commit f74d781
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 0 deletions.
diff --git a/file.te b/file.te
@@ -118,6 +118,7 @@ type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
 type dumpstate_socket, file_type;
+type fwmarkd_socket, file_type, mlstrustedobject;
 type gps_socket, file_type;
 type installd_socket, file_type;
 type lmkd_socket, file_type;

diff --git a/file_contexts b/file_contexts
@@ -79,6 +79,7 @@
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
 /dev/socket/gps		u:object_r:gps_socket:s0
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0

diff --git a/net.te b/net.te
@@ -18,5 +18,8 @@ allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
 
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
 # Connect to mdnsd via mdnsd socket.
 unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/netd.te b/netd.te
@@ -58,6 +58,10 @@ allow netd clatd:process signal;
 
 allow netd ctl_mdnsd_prop:property_service set;
 
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
+allow netd netdomain:fd use;
+
 ###
 ### Neverallow rules
 ###

diff --git a/su.te b/su.te
@@ -21,6 +21,9 @@ userdebug_or_eng(`
   allow su su_tmpfs:file execute;
   allow su debuggerd_prop:property_service set;
 
+  # Make su a net domain.
+  net_domain(su)
+
   # su is also permissive to permit setenforce.
   permissive su;