342362ae3e
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
25 lines
1 KiB
Text
25 lines
1 KiB
Text
# DNS, DHCP services
|
|
type dnsmasq, domain;
|
|
type dnsmasq_exec, exec_type, file_type;
|
|
|
|
net_domain(dnsmasq)
|
|
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
# TODO: Run with dhcp group to avoid need for dac_override.
|
|
allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
|
|
|
|
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
|
|
|
|
allow dnsmasq dhcp_data_file:dir w_dir_perms;
|
|
allow dnsmasq dhcp_data_file:file create_file_perms;
|
|
|
|
# Inherit and use open files from netd.
|
|
allow dnsmasq netd:fd use;
|
|
allow dnsmasq netd:fifo_file { read write };
|
|
# TODO: Investigate whether these inherited sockets should be closed on exec.
|
|
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
|
|
allow dnsmasq netd:netlink_nflog_socket { read write };
|
|
allow dnsmasq netd:netlink_route_socket { read write };
|
|
allow dnsmasq netd:unix_stream_socket { read write };
|
|
allow dnsmasq netd:unix_dgram_socket { read write };
|
|
allow dnsmasq netd:udp_socket { read write };
|