75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
23 lines
996 B
Text
23 lines
996 B
Text
typeattribute dnsmasq coredomain;
|
|
|
|
net_domain(dnsmasq)
|
|
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
# TODO: Run with dhcp group to avoid need for dac_override.
|
|
allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
|
|
|
|
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
|
|
|
|
allow dnsmasq dhcp_data_file:dir w_dir_perms;
|
|
allow dnsmasq dhcp_data_file:file create_file_perms;
|
|
|
|
# Inherit and use open files from netd.
|
|
allow dnsmasq netd:fd use;
|
|
allow dnsmasq netd:fifo_file { getattr read write };
|
|
# TODO: Investigate whether these inherited sockets should be closed on exec.
|
|
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
|
|
allow dnsmasq netd:netlink_nflog_socket { read write };
|
|
allow dnsmasq netd:netlink_route_socket { read write };
|
|
allow dnsmasq netd:unix_stream_socket { getattr read write };
|
|
allow dnsmasq netd:unix_dgram_socket { read write };
|
|
allow dnsmasq netd:udp_socket { read write };
|