| get_prop(domain, camera_prop) |
| |
| dontaudit domain self:capability sys_module; |
| |
| # limit the socket ioctl commands granted to all domain processes. |
| # Only allow unprivilaged commands unless explicitly granted. |
| allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } |
| ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; |
| |
| # unix/stream sockets are already locked down in core policy. |
| # Ioctl commands on the socket class are used in a few domains. e.g. location. |
| # Whitelisting command 0 (a no-op command) forces all domains to specify a |
| # whitelist when using the following socket classes. |
| # TODO remove the ioctl command for socket classes that do not use it. |
| allowxperm domain domain:{ |
| socket |
| netlink_generic_socket |
| netlink_kobject_uevent_socket |
| tun_socket |
| netlink_socket |
| netlink_tcpdiag_socket |
| netlink_nflog_socket |
| packet_socket |
| netlink_xfrm_socket |
| netlink_audit_socket |
| netlink_netfilter_socket |
| key_socket |
| } ioctl { 0 }; |
| |
| neverallow domain *:{ |
| appletalk_socket |
| netlink_firewall_socket |
| netlink_ip6fw_socket |
| netlink_dnrt_socket |
| netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket |
| netlink_scsitransport_socket |
| netlink_rdma_socket netlink_crypto_socket |
| } *; |