| get_prop(domain, camera_prop) |
| |
| dontaudit domain self:capability sys_module; |
| |
| # limit the socket ioctl commands granted to all domain processes. |
| # Only allow unprivilaged commands unless explicitly granted. |
| allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } |
| ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; |
| |
| # unix/stream sockets are already locked down in core policy. |
| # Ioctl commands on the socket class are used in a few domains. e.g. location. |
| # Whitelisting command 0 (a no-op command) forces all domains to specify a |
| # whitelist when using the following socket classes. |
| # TODO remove the ioctl command for socket classes that do not use it. |
| allowxperm domain domain:{ |
| socket |
| netlink_generic_socket |
| netlink_kobject_uevent_socket |
| tun_socket |
| netlink_socket |
| netlink_tcpdiag_socket |
| netlink_nflog_socket |
| packet_socket |
| netlink_xfrm_socket |
| netlink_audit_socket |
| netlink_netfilter_socket |
| key_socket |
| } ioctl { 0 }; |
| |
| # line in the (se)sand: DO NOT grant net_admin capability! |
| neverallow { |
| domain |
| -bluetooth |
| -clatd |
| -dhcp |
| -dnsmasq |
| -dumpstate |
| -healthd |
| -hostapd |
| -init |
| -netd |
| -ppp |
| -racoon |
| -rild |
| -system_server |
| -ueventd |
| -vold |
| -wpa |
| # device specific |
| -netmgrd |
| -cnss-daemon # STOPSHIP b/28340421 |
| -cnss_diag # STOPSHIP b/28340421 |
| -location # STOPSHIP b/28340421 |
| } self:capability net_admin; |
| |
| neverallow domain *:{ |
| appletalk_socket |
| netlink_firewall_socket |
| netlink_ip6fw_socket |
| netlink_dnrt_socket |
| netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket |
| netlink_scsitransport_socket |
| netlink_rdma_socket netlink_crypto_socket |
| } *; |