60 lines
2.3 KiB
Plaintext
Executable File
60 lines
2.3 KiB
Plaintext
Executable File
# ==============================================
|
|
# Policy File of /system/bin/epdg_wod Executable File
|
|
|
|
# ==============================================
|
|
# Type Declaration
|
|
# ==============================================
|
|
type epdg_wod_exec , exec_type, file_type;
|
|
type epdg_wod ,domain;
|
|
|
|
|
|
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
init_daemon_domain(epdg_wod)
|
|
|
|
domain_auto_trans(epdg_wod, starter_exec, ipsec)
|
|
domain_auto_trans(epdg_wod, charon_exec, ipsec)
|
|
domain_auto_trans(epdg_wod, starter_exec, ipsec)
|
|
domain_auto_trans(epdg_wod, stroke_exec, ipsec)
|
|
|
|
# Date: WK14.52
|
|
# Operation : Feature for ePDG
|
|
# Purpose : handle tunnel interface
|
|
allow epdg_wod system_file:file { read getattr open execute execute_no_trans };
|
|
allow epdg_wod self:tun_socket { relabelfrom relabelto create };
|
|
allow epdg_wod tun_device:chr_file { read write ioctl open };
|
|
allow epdg_wod self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
|
|
allow epdg_wod self:capability { net_admin dac_override kill };
|
|
|
|
# Purpose : update ipsec deamon
|
|
allow epdg_wod ipsec_exec:file { read getattr open execute execute_no_trans };
|
|
|
|
# Purpose : send signal to process (ipsec/charon)
|
|
allow epdg_wod ipsec:process signal;
|
|
|
|
# Purpose : set property for debug messages
|
|
allow epdg_wod init:unix_stream_socket connectto;
|
|
allow epdg_wod mtk_wod_prop:property_service set;
|
|
allow epdg_wod property_socket:sock_file write;
|
|
|
|
# Purpose : Query ePDG IP address
|
|
allow epdg_wod dnsproxyd_socket:sock_file write;
|
|
allow epdg_wod netd:unix_stream_socket connectto;
|
|
|
|
# Purpose : removal old charon/starter PID file
|
|
allow epdg_wod vpn_data_file:dir { search write remove_name };
|
|
allow epdg_wod vpn_data_file:file { read getattr open unlink };
|
|
|
|
# Purpose : create strongswan config file for IKEv2 Tunnel
|
|
allow epdg_wod wod_apn_conf_file:dir { write read open add_name remove_name search };
|
|
allow epdg_wod wod_apn_conf_file:file { write create unlink open getattr };
|
|
allow epdg_wod wod_ipsec_conf_file:file { write create unlink open getattr };
|
|
allow epdg_wod wod_ipsec_conf_file:dir { write read open add_name remove_name search };
|
|
|
|
#
|
|
# TODO: NEED PATCH before 20150331, need to remove shell command
|
|
#
|
|
#allow epdg_wod shell_exec:file { read execute open execute_no_trans };
|
|
|