bff9801521
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
25 lines
995 B
Text
25 lines
995 B
Text
# DNS, DHCP services
|
|
type dnsmasq, domain, domain_deprecated;
|
|
type dnsmasq_exec, exec_type, file_type;
|
|
|
|
net_domain(dnsmasq)
|
|
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
# TODO: Run with dhcp group to avoid need for dac_override.
|
|
allow dnsmasq self:capability dac_override;
|
|
|
|
allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
|
|
|
|
allow dnsmasq dhcp_data_file:dir w_dir_perms;
|
|
allow dnsmasq dhcp_data_file:file create_file_perms;
|
|
|
|
# Inherit and use open files from netd.
|
|
allow dnsmasq netd:fd use;
|
|
allow dnsmasq netd:fifo_file { read write };
|
|
# TODO: Investigate whether these inherited sockets should be closed on exec.
|
|
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
|
|
allow dnsmasq netd:netlink_nflog_socket { read write };
|
|
allow dnsmasq netd:netlink_route_socket { read write };
|
|
allow dnsmasq netd:unix_stream_socket { read write };
|
|
allow dnsmasq netd:unix_dgram_socket { read write };
|
|
allow dnsmasq netd:udp_socket { read write };
|