diff options
| author | Mister Oyster <oysterized@gmail.com> | 2017-01-02 12:44:35 +0100 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-01-02 12:44:35 +0100 |
| commit | a184d985bf43d3fe6eeba971bc6b32f79ea38b37 (patch) | |
| tree | 6f6e56e090777cc149bc1ab39e5987cc2b03e867 /sepolicy/ipsec.te | |
initial releasecm-13.0
Diffstat (limited to 'sepolicy/ipsec.te')
| -rw-r--r-- | sepolicy/ipsec.te | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/sepolicy/ipsec.te b/sepolicy/ipsec.te new file mode 100644 index 0000000..c4b2163 --- /dev/null +++ b/sepolicy/ipsec.te @@ -0,0 +1,75 @@ +# ============================================== +# Policy File of /system/bin/ipsec Executable File + +# ============================================== +# Type Declaration +# ============================================== +type starter_exec , exec_type, file_type; +type charon_exec , exec_type, file_type; +type ipsec_exec , exec_type, file_type; +type stroke_exec , exec_type, file_type; +type ipsec ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date: WK14.52 +# Operation : Feature developing for ePDG + +# Purpose : access xfrm +allow ipsec proc_net:file write; + +# Purpose : set property for ip address with epdg_wod +allow ipsec mtk_wod_prop:property_service set; +allow ipsec property_socket:sock_file write; + +# Purpose : send command to epdg_wod +allow ipsec wod_ipsec_socket:sock_file write; + +# Purpose : create socket for IKEv2 protocol +allow ipsec node:udp_socket node_bind; +allow ipsec port:tcp_socket name_connect; +allow ipsec port:udp_socket name_bind; + +# Purpose : Query DNS address +allow ipsec netd:unix_stream_socket connectto; +allow ipsec dnsproxyd_socket:sock_file write; + +# Purpose : access property socket +allow ipsec init:unix_stream_socket connectto; + +# Purpose : access socket of wod and property +allow ipsec epdg_wod:unix_stream_socket { read write connectto }; + +# Purpose : output to /dev/null +allow ipsec epdg_wod:fd use; + +# Purpose : starter invoke charon +allow ipsec charon_exec:file execute_no_trans; + +# Purpose : charon set fwmark +allow ipsec fwmarkd_socket:sock_file write; + +# Purpose : kernel ip/route operations +allow ipsec self:capability { net_admin net_bind_service dac_override kill }; + +# Purpose : send/receive packet to/from peer +allow ipsec self:tcp_socket { write getattr connect read getopt create }; +allow ipsec self:udp_socket { write bind create read setopt }; + +# Purpose : kernel ip/route operations +allow ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read }; +allow ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read }; + +# Purpose : charon/starter PID file +allow ipsec vpn_data_file:dir { write remove_name add_name search }; +allow ipsec vpn_data_file:file { write create open getattr setattr read unlink }; +allow ipsec vpn_data_file:sock_file { write create unlink setattr }; + +# Purpose : read strongswan config file for IKEv2 Tunnel +allow ipsec wod_apn_conf_file:dir search; +allow ipsec wod_apn_conf_file:file { read ioctl open getattr }; +allow ipsec wod_ipsec_conf_file:file { read ioctl open getattr }; +allow ipsec wod_ipsec_conf_file:dir search; + |