bff9801521
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
16 lines
521 B
Text
16 lines
521 B
Text
# Point to Point Protocol daemon
|
|
type ppp, domain, domain_deprecated;
|
|
type ppp_device, dev_type;
|
|
type ppp_exec, exec_type, file_type;
|
|
domain_auto_trans(mtp, ppp_exec, ppp)
|
|
|
|
net_domain(ppp)
|
|
|
|
allow ppp mtp:socket rw_socket_perms_no_ioctl;
|
|
allow ppp mtp:unix_dgram_socket rw_socket_perms;
|
|
allow ppp ppp_device:chr_file rw_file_perms;
|
|
allow ppp self:capability net_admin;
|
|
allow ppp system_file:file rx_file_perms;
|
|
allow ppp vpn_data_file:dir w_dir_perms;
|
|
allow ppp vpn_data_file:file create_file_perms;
|
|
allow ppp mtp:fd use;
|