Merge "Add xfrm netlink permissions for system server" am: f2b91a0199
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2101798 Change-Id: Ia0d409991b1c03c62f6ef8ee930f7a47fae06c46 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot
Automerger Merge Worker
commit
5cb7ed06e3
2 changed files with 6 additions and 0 deletions
|
|
@ -56,6 +56,9 @@ allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
|
|||
allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
|
||||
allow network_stack bpfloader:bpf { map_read map_write prog_run };
|
||||
|
||||
# Use XFRM (IPsec) netlink sockets
|
||||
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
|
||||
|
||||
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
|
||||
# Unfortunately init/vendor_init have all sorts of extra privs
|
||||
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
|
||||
|
|
|
|||
|
|
@ -180,6 +180,9 @@ allow system_server self:socket create_socket_perms_no_ioctl;
|
|||
# Set and get routes directly via netlink.
|
||||
allow system_server self:netlink_route_socket nlmsg_write;
|
||||
|
||||
# Use XFRM (IPsec) netlink sockets
|
||||
allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
|
||||
|
||||
# Kill apps.
|
||||
allow system_server appdomain:process { getpgid sigkill signal };
|
||||
# signull allowed for kill(pid, 0) existence test.
|
||||
|
|
|
|||
Loading…
Reference in a new issue