bff9801521
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
12 lines
316 B
Text
12 lines
316 B
Text
# vpn tunneling protocol manager
|
|
type mtp, domain, domain_deprecated;
|
|
type mtp_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(mtp)
|
|
net_domain(mtp)
|
|
|
|
# pptp policy
|
|
allow mtp self:socket create_socket_perms_no_ioctl;
|
|
allow mtp self:capability net_raw;
|
|
allow mtp ppp:process signal;
|
|
allow mtp vpn_data_file:dir search;
|