racoon policy.
Initial policy for racoon (IKE key management).
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479
diff --git a/app.te b/app.te
index cb8091b..76b765d 100644
--- a/app.te
+++ b/app.te
@@ -110,6 +110,8 @@
allow untrusted_app port_type:udp_socket name_bind;
allow untrusted_app port_type:tcp_socket name_bind;
unix_socket_connect(untrusted_app, dnsproxyd, netd)
+allow untrusted_app tun_device:chr_file rw_file_perms;
+allow untrusted_app untrusted_app:netlink_route_socket write;
# Get route information.
allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
}
diff --git a/device.te b/device.te
index ecb7c10..4f3032a 100644
--- a/device.te
+++ b/device.te
@@ -42,6 +42,8 @@
type gps_device, dev_type;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
+type uhid_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
# All devices have a uart for the hci
# attach service. The uart dev node
diff --git a/file.te b/file.te
index 65788df..cc196a3 100644
--- a/file.te
+++ b/file.te
@@ -87,6 +87,7 @@
type netd_socket, file_type;
type property_socket, file_type;
type qemud_socket, file_type;
+type racoon_socket, file_type;
type rild_socket, file_type;
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 0d2db38..00a79b2 100644
--- a/file_contexts
+++ b/file_contexts
@@ -89,6 +89,7 @@
/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/qemud u:object_r:qemud_socket:s0
+/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
@@ -100,6 +101,8 @@
/dev/tf_driver u:object_r:tee_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:input_device:s0
/dev/urandom u:object_r:urandom_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
@@ -135,6 +138,7 @@
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/tf_daemon u:object_r:tee_exec:s0
+/system/bin/racoon u:object_r:racoon_exec:s0
/system/etc/ppp(/.*)? u:object_r:ppp_system_file:s0
/system/etc/dhcpcd(/.*)? u:object_r:dhcp_system_file:s0
/system/xbin/su u:object_r:su_exec:s0
diff --git a/global_macros b/global_macros
index cb3ed95..2f9b4fa 100644
--- a/global_macros
+++ b/global_macros
@@ -38,3 +38,8 @@
define(`w_ipc_perms', `{ write unix_write }')
define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
diff --git a/racoon.te b/racoon.te
new file mode 100644
index 0000000..9f556e0
--- /dev/null
+++ b/racoon.te
@@ -0,0 +1,25 @@
+# IKE key management daemon
+type racoon, domain;
+type racoon_exec, exec_type, file_type;
+
+init_daemon_domain(racoon)
+typeattribute racoon mlstrustedsubject;
+
+binder_call(racoon, servicemanager)
+binder_call(racoon, keystore)
+
+allow racoon tun_device:chr_file r_file_perms;
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+allow racoon port:udp_socket name_bind;
+allow racoon node:udp_socket node_bind;
+
+allow racoon self:{ key_socket udp_socket } create_socket_perms;
+allow racoon self:tun_socket create;
+allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon ppp_system_file:file rx_file_perms;
+allow racoon ppp_system_file:dir search;
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/system.te b/system.te
index 62240fe..c907a79 100644
--- a/system.te
+++ b/system.te
@@ -93,6 +93,9 @@
# Notify init of death.
allow system init:process sigchld;
+# 3rd party VPN clients require a tun_socket to be created
+allow system self:tun_socket create;
+
# Talk to init and various daemons via sockets.
unix_socket_connect(system, property, init)
unix_socket_connect(system, qemud, qemud)
@@ -104,6 +107,7 @@
unix_socket_connect(system, dbus, dbusd)
unix_socket_connect(system, gps, gpsd)
unix_socket_connect(system, bluetooth, bluetoothd)
+unix_socket_connect(system, racoon, racoon)
unix_socket_send(system, wpa, wpa)
# Communicate over a socket created by surfaceflinger.
@@ -147,6 +151,9 @@
allow system video_device:chr_file rw_file_perms;
allow system qemu_device:chr_file rw_file_perms;
+# tun device used for 3rd party vpn apps
+allow system tun_device:chr_file rw_file_perms;
+
# Manage data files.
allow system data_file_type:dir create_dir_perms;
allow system data_file_type:notdevfile_class_set create_file_perms;
@@ -195,8 +202,9 @@
allow system gps_device:chr_file rw_file_perms;
allow system gps_control:file rw_file_perms;
-# system Read/Write udp_socket of untrusted_app
-allow system appdomain:udp_socket { read write };
+# system Read/Write tcp/udp_socket of untrusted_app
+allow system appdomain:{ tcp_socket udp_socket } { setopt read write };
+
# Allow abstract socket connection
allow system rild:unix_stream_socket connectto;
