64aa71a430
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families") modified the kernel to support fine grain differentiation of socket families, if userspace enables it (which Android does). Modify the ppp SELinux policy to allow the use of pppox_socket (needed for kernels 4.14 or greater) and the generic "socket" family (for kernels below 4.14). Addresses the following denials: 04-19 20:25:34.059 16848 16848 I pppd : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 04-19 20:25:34.075 16848 16848 I pppd : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 Bug: 130852066 Test: compiles Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc Merged-In: I00cc07108acaac5f2519ad0093d9db9572e325dc
23 lines
743 B
Text
23 lines
743 B
Text
# Point to Point Protocol daemon
|
|
type ppp, domain;
|
|
type ppp_device, dev_type;
|
|
type ppp_exec, system_file_type, exec_type, file_type;
|
|
|
|
net_domain(ppp)
|
|
|
|
r_dir_file(ppp, proc_net_type)
|
|
|
|
allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
|
|
|
|
# ioctls needed for VPN.
|
|
allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
|
|
allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
|
|
|
|
allow ppp mtp:unix_dgram_socket rw_socket_perms;
|
|
allow ppp ppp_device:chr_file rw_file_perms;
|
|
allow ppp self:global_capability_class_set net_admin;
|
|
allow ppp system_file:file rx_file_perms;
|
|
not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
|
|
allow ppp vpn_data_file:dir w_dir_perms;
|
|
allow ppp vpn_data_file:file create_file_perms;
|
|
allow ppp mtp:fd use;
|