diff options
Diffstat (limited to 'sepolicy/epdg_wod.te')
| -rw-r--r-- | sepolicy/epdg_wod.te | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/sepolicy/epdg_wod.te b/sepolicy/epdg_wod.te new file mode 100644 index 0000000..5accab6 --- /dev/null +++ b/sepolicy/epdg_wod.te @@ -0,0 +1,59 @@ +# ============================================== +# Policy File of /system/bin/epdg_wod Executable File + +# ============================================== +# Type Declaration +# ============================================== +type epdg_wod_exec , exec_type, file_type; +type epdg_wod ,domain; + + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(epdg_wod) + +domain_auto_trans(epdg_wod, starter_exec, ipsec) +domain_auto_trans(epdg_wod, charon_exec, ipsec) +domain_auto_trans(epdg_wod, starter_exec, ipsec) +domain_auto_trans(epdg_wod, stroke_exec, ipsec) + +# Date: WK14.52 +# Operation : Feature for ePDG +# Purpose : handle tunnel interface +allow epdg_wod system_file:file { read getattr open execute execute_no_trans }; +allow epdg_wod self:tun_socket { relabelfrom relabelto create }; +allow epdg_wod tun_device:chr_file { read write ioctl open }; +allow epdg_wod self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr }; +allow epdg_wod self:capability { net_admin dac_override kill }; + +# Purpose : update ipsec deamon +allow epdg_wod ipsec_exec:file { read getattr open execute execute_no_trans }; + +# Purpose : send signal to process (ipsec/charon) +allow epdg_wod ipsec:process signal; + +# Purpose : set property for debug messages +allow epdg_wod init:unix_stream_socket connectto; +allow epdg_wod mtk_wod_prop:property_service set; +allow epdg_wod property_socket:sock_file write; + +# Purpose : Query ePDG IP address +allow epdg_wod dnsproxyd_socket:sock_file write; +allow epdg_wod netd:unix_stream_socket connectto; + +# Purpose : removal old charon/starter PID file +allow epdg_wod vpn_data_file:dir { search write remove_name }; +allow epdg_wod vpn_data_file:file { read getattr open unlink }; + +# Purpose : create strongswan config file for IKEv2 Tunnel +allow epdg_wod wod_apn_conf_file:dir { write read open add_name remove_name search }; +allow epdg_wod wod_apn_conf_file:file { write create unlink open getattr }; +allow epdg_wod wod_ipsec_conf_file:file { write create unlink open getattr }; +allow epdg_wod wod_ipsec_conf_file:dir { write read open add_name remove_name search }; + +# +# TODO: NEED PATCH before 20150331, need to remove shell command +# +#allow epdg_wod shell_exec:file { read execute open execute_no_trans }; + |