non_plat: Label ipsec binary and grant required permissions

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com> Change-Id: Ia0f872f152f0a651a8954aec8372b363963e0c6d
2021-01-18 20:44:32 +05:30 · 2021-01-18 20:44:32 +05:30 · df5aa45ca7
commit df5aa45ca7
parent 84ae870bb8
2 changed files with 21 additions and 1 deletions
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@ -709,7 +709,8 @@
 # Keymaster
 /dev/ut_keymaster u:object_r:ut_keymaster_device:s0

-#Ipsec
+# Ipsec
+/(system\/vendor|vendor)/bin/ipsec		u:object_r:ipsec_exec:s0
 /(system\/vendor|vendor)/bin/ipsec_mon u:object_r:ipsec_mon_exec:s0

 # IMS
--- a/non_plat/ipsec.te
+++ b/non_plat/ipsec.te
@ -0,0 +1,19 @@
+type ipsec_exec, exec_type, file_type, vendor_file_type;
+type ipsec, domain;
+
+allow ipsec proc_net:file write;
+allow ipsec { property_socket dnsproxyd_socket fwmarkd_socket }:sock_file write;
+allow ipsec { node port }:{ udp_socket rawip_socket } { node_bind name_bind };
+
+allow ipsec init:unix_stream_socket connectto;
+allow ipsec epdg_wod:unix_stream_socket { read write connectto };
+allow ipsec epdg_wod:fd use;
+
+allow ipsec self:capability { kill net_bind_service net_admin };
+allow ipsec self:{ netlink_route_socket netlink_xfrm_socket } { read write create bind nlmsg_read nlmsg_write };
+allow ipsec self:tcp_socket { read write create getattr connect getopt };
+allow ipsec self:capability2 wake_alarm;
+
+allow ipsec devpts:chr_file { read write open };
+
+set_prop(ipsec, mtk_wod_prop)