aboutsummaryrefslogtreecommitdiffstats
path: root/racoon.te
diff options
context:
space:
mode:
authorRiley Spahn <rileyspahn@google.com>2014-06-17 14:58:52 -0700
committerRiley Spahn <rileyspahn@google.com>2014-06-26 08:53:10 -0700
commit1196d2a5763c9a99be99ba81a4a29d938a83cc06 (patch)
tree03e20d5f1505006c66a8ffa3e60aa87c8ef50e91 /racoon.te
parent8c6552acfba677442d565a0c7f8e44f5f2af57f2 (diff)
downloadandroid_external_sepolicy-1196d2a5763c9a99be99ba81a4a29d938a83cc06.tar.gz
android_external_sepolicy-1196d2a5763c9a99be99ba81a4a29d938a83cc06.tar.bz2
android_external_sepolicy-1196d2a5763c9a99be99ba81a4a29d938a83cc06.zip
Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
Diffstat (limited to 'racoon.te')
-rw-r--r--racoon.te10
1 files changed, 9 insertions, 1 deletions
diff --git a/racoon.te b/racoon.te
index 6148255..8b09cdf 100644
--- a/racoon.te
+++ b/racoon.te
@@ -8,7 +8,6 @@ typeattribute racoon mlstrustedsubject;
net_domain(racoon)
binder_use(racoon)
-binder_call(racoon, keystore)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
@@ -22,3 +21,12 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+ get
+ sign
+ verify
+};
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-27 23:29:35 +0000