tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/racoon.te
Eric Biggers cc5cb431ee Stop granting permissions on keystore_key class 
When keystore was replaced with keystore2 in Android 12, the SELinux
class of keystore keys was changed from keystore_key to keystore2_key.
However, the rules that granted access to keystore_key were never
removed.  This CL removes them, as they are no longer needed.

Don't actually remove the class and its permissions from
private/security_classes and private/access_vectors.  That would break
the build because they're referenced by rules in prebuilts/.

Bug: 171305684
Test: atest CtsKeystoreTestCases
Flag: exempt, removing obsolete code
Change-Id: I35d9ea22c0d069049a892def15a18696c4f287a3
2023-10-16 22:22:54 +00:00

27 lines
973 B
Text
Raw Blame History

# IKE key management daemon
type racoon, domain;
type racoon_exec, system_file_type, exec_type, file_type;
typeattribute racoon mlstrustedsubject;
net_domain(racoon)
allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
binder_use(racoon)
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon cgroup_v2:dir { add_name create };
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
Reference in a new issue View git blame Copy permalink