Bjoern Johansson | 127395f | 2017-02-09 22:28:47 -0800 | [diff] [blame] | 1 | # Network namespace transitions |
Bjoern Johansson | 760871c | 2017-08-31 12:57:18 -0700 | [diff] [blame] | 2 | type execns, domain; |
| 3 | type execns_exec, exec_type, vendor_file_type, file_type; |
Bjoern Johansson | 127395f | 2017-02-09 22:28:47 -0800 | [diff] [blame] | 4 | |
| 5 | init_daemon_domain(execns) |
| 6 | |
| 7 | allow execns varrun_file:dir search; |
Bjoern Johansson | ca5bfb1 | 2018-03-19 11:14:30 -0700 | [diff] [blame] | 8 | allow execns varrun_file:file r_file_perms; |
Bjoern Johansson | 127395f | 2017-02-09 22:28:47 -0800 | [diff] [blame] | 9 | allow execns self:capability sys_admin; |
Bjoern Johansson | ca5bfb1 | 2018-03-19 11:14:30 -0700 | [diff] [blame] | 10 | allow execns nsfs:file { open read }; |
Bjoern Johansson | 127395f | 2017-02-09 22:28:47 -0800 | [diff] [blame] | 11 | |
| 12 | #Allow execns itself to be run by init in its own domain |
| 13 | domain_auto_trans(init, execns_exec, execns); |
| 14 | |
Bjoern Johansson | 3c4b342 | 2017-07-06 15:52:57 -0700 | [diff] [blame] | 15 | # Allow dhcpclient to be run by execns in its own domain |
| 16 | domain_auto_trans(execns, dhcpclient_exec, dhcpclient); |
| 17 | |
| 18 | # Allow dhcpserver to be run by execns in its own domain |
| 19 | domain_auto_trans(execns, dhcpserver_exec, dhcpserver); |
| 20 | |
Bjoern Johansson | ca5bfb1 | 2018-03-19 11:14:30 -0700 | [diff] [blame] | 21 | # Rules to allow execution of hostapd and allow it to run |
| 22 | allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans }; |
| 23 | allow execns self:capability { net_admin net_raw }; |
| 24 | allow execns self:netlink_generic_socket { bind create getattr read setopt write }; |
| 25 | allow execns self:netlink_route_socket { bind create read write nlmsg_write }; |
| 26 | allow execns execns:udp_socket { create ioctl }; |
| 27 | allow execns self:packet_socket { create setopt }; |
| 28 | allow execns sysfs_net:dir { search }; |
| 29 | allowxperm execns self:udp_socket ioctl priv_sock_ioctls; |
| 30 | |
| 31 | # Allow execns to read createns proc file to get the namespace file |
| 32 | allow execns createns:file read; |
| 33 | allow execns createns:dir search; |
| 34 | allow execns createns:lnk_file read; |