448bd57181
Starting in Android 11, Android unconditionally disables kernel module autoloading (https://r.android.com/1254748) in such a way that even the SELinux permission does not get checked. Therefore, all the SELinux rules that allow or dontaudit the module_request permission are no longer necessary. Their presence or absence makes no difference. Bug: 130424539 Test: Booted Cuttlefish, no SELinux denials. Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
# IKE key management daemon
|
|
type racoon, domain;
|
|
type racoon_exec, system_file_type, exec_type, file_type;
|
|
|
|
typeattribute racoon mlstrustedsubject;
|
|
|
|
net_domain(racoon)
|
|
allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
|
|
|
|
binder_use(racoon)
|
|
|
|
allow racoon tun_device:chr_file r_file_perms;
|
|
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
|
|
allow racoon cgroup:dir { add_name create };
|
|
allow racoon cgroup_v2:dir { add_name create };
|
|
|
|
allow racoon self:key_socket create_socket_perms_no_ioctl;
|
|
allow racoon self:tun_socket create_socket_perms_no_ioctl;
|
|
allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
|
|
|
|
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
|
|
allow racoon system_file:file rx_file_perms;
|
|
not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
|
|
allow racoon vpn_data_file:file create_file_perms;
|
|
allow racoon vpn_data_file:dir w_dir_perms;
|
|
|
|
use_keystore(racoon)
|
|
|
|
# Racoon (VPN) has a restricted set of permissions from the default.
|
|
allow racoon keystore:keystore_key {
|
|
get
|
|
sign
|
|
verify
|
|
};
|