bff9801521
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
32 lines
911 B
Text
32 lines
911 B
Text
# IKE key management daemon
|
|
type racoon, domain, domain_deprecated;
|
|
type racoon_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(racoon)
|
|
typeattribute racoon mlstrustedsubject;
|
|
|
|
net_domain(racoon)
|
|
|
|
binder_use(racoon)
|
|
|
|
allow racoon tun_device:chr_file r_file_perms;
|
|
allow racoon cgroup:dir { add_name create };
|
|
allow racoon kernel:system module_request;
|
|
|
|
allow racoon self:key_socket create_socket_perms_no_ioctl;
|
|
allow racoon self:tun_socket create_socket_perms_no_ioctl;
|
|
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
|
|
|
|
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
|
|
allow racoon system_file:file rx_file_perms;
|
|
allow racoon vpn_data_file:file create_file_perms;
|
|
allow racoon vpn_data_file:dir w_dir_perms;
|
|
|
|
use_keystore(racoon)
|
|
|
|
# Racoon (VPN) has a restricted set of permissions from the default.
|
|
allow racoon keystore:keystore_key {
|
|
get
|
|
sign
|
|
verify
|
|
};
|