platform_system_sepolicy/public/racoon.te
Nick Kralevich 3ddaa63bde racoon: allow ioctl TUNSETIFF
Used by
bf16586a33/main.c (116)

Addresses the following denial:

audit(0.0:8126): avc: denied { ioctl } for comm="racoon" path="/dev/tun" dev="tmpfs" ino=25329 ioctlcmd=0x54ca scontext=u:r:racoon:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0

Test: policy compiles.
Change-Id: Ia26077d4a9e810c7006d4b979d6b7e9ca154b485
2018-11-15 10:32:45 -08:00

34 lines
1.1 KiB
Text

# IKE key management daemon
type racoon, domain;
type racoon_exec, system_file_type, exec_type, file_type;
typeattribute racoon mlstrustedsubject;
net_domain(racoon)
allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
binder_use(racoon)
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
# Racoon (VPN) has a restricted set of permissions from the default.
allow racoon keystore:keystore_key {
get
sign
verify
};