Based on this http://elinux.org/Android_Security#Paranoid_network-ing
Paranoid network-ing Android adds a "paranoid network" option to the Linux kernel, which restricts access to some networking features depending on the group of the calling process. The list of groups that are allowed access to networking features is in the kernel source file: /include/linux/android_aids.h Here is the list: #define GID Capability AID_NET_BT_ADMIN 3001 Can create an RFCOMM, SCO, or L2CAPP Bluetooth socket AID_NET_BT 3002 Can create a Bluetooth socket AID_INET 3003 Can create IPv4 or IPv6 socket AID_NET_RAW 3004 Can create certain kinds of IPv4 sockets?? AID_NET_ADMIN* 3005 Allow CAP_NET_ADMIN permissions for process Note: * Added in Donut (not in original Android 1.0) Tai From: William Roberts <[email protected]<mailto:[email protected]>> Date: Tuesday, October 29, 2013 11:58 AM To: Tai Nguyen <[email protected]<mailto:[email protected]>>, William Roberts <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: Rules for AnyConnect VPN app From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Tai Nguyen (tainguye) Sent: Tuesday, October 29, 2013 8:53 AM To: William Roberts Cc: [email protected]<mailto:[email protected]> Subject: Re: Rules for AnyConnect VPN app It seems like Android provides permission/groupID that can have NET_RAW capability, thus, allowing the app to use iptables command without running as root. So, in this case, although the app has the right android permission to gain NET_RAW capability, we still need to have rule to allows the VPN app with {net_admin, net_raw} capability, right? [William Roberts] I don’t think that’s right, look at the capability set in Zygote, it gets cleared to 0. If(isSystemServer) { // have caps } Else { } else { // no caps for others mountMode = args[5]; permittedCapabilities = effectiveCapabilities = 0; } See: dalvik/vm/native/dalvik_system_Zygote.cpp Thanks, Tai From: William Roberts <[email protected]<mailto:[email protected]>> Date: Monday, October 28, 2013 6:48 PM To: Tai Nguyen <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Rules for AnyConnect VPN app If anyconnect is touching iptables directly then your running a rooted version of the application. I would recommend you use one that makes use of Android's VPNService. I would also discourage use of vpn_app, as that will probably go away in the future. All 3rd party apps should run in untrusted, unless your doing some tight coupled integration or running rooted apps that require additional permissions. On Mon, Oct 28, 2013 at 3:17 PM, Tai Nguyen (tainguye) <[email protected]<mailto:[email protected]>> wrote: Hi all, Has anyone created rules to support AnyConnect VPN app yet? I see the following rules in seandroid 4.2 branch # # 3rd party VPN clients that have seinfo=vpn in mac_permissions.xml # This is a more secure alternative to allowing untrusted_app access # to create a VPN tunnel. type vpn_app, domain; app_domain(vpn_app) net_domain(vpn_app) allow vpn_app tun_device:chr_file rw_file_perms; allow vpn_app system_data_file:file { execute open }; allow vpn_app qtaguid_device:chr_file r_file_perms; allow vpn_app vpn_app_data_file:dir create_dir_perms; allow vpn_app vpn_app_data_file:notdevfile_class_set create_file_perms; allow vpn_app vpn_app:netlink_route_socket write; However, I don't think this is completed since any connect app need to configure iptable. Thanks, Tai -- Respectfully, William C Roberts
