| # Network namespace transitions |
| type execns, domain; |
| type execns_exec, exec_type, vendor_file_type, file_type; |
| |
| init_daemon_domain(execns) |
| |
| allow execns varrun_file:dir search; |
| allow execns varrun_file:file r_file_perms; |
| allow execns self:capability sys_admin; |
| allow execns nsfs:file { open read }; |
| |
| #Allow execns itself to be run by init in its own domain |
| domain_auto_trans(init, execns_exec, execns); |
| |
| # Allow dhcpclient to be run by execns in its own domain |
| domain_auto_trans(execns, dhcpclient_exec, dhcpclient); |
| |
| # Allow dhcpserver to be run by execns in its own domain |
| domain_auto_trans(execns, dhcpserver_exec, dhcpserver); |
| |
| # Rules to allow execution of hostapd and allow it to run |
| allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans }; |
| allow execns self:capability { net_admin net_raw }; |
| allow execns self:netlink_generic_socket { bind create getattr read setopt write }; |
| allow execns self:netlink_route_socket { bind create read write nlmsg_write }; |
| allow execns execns:udp_socket { create ioctl }; |
| allow execns self:packet_socket { create setopt }; |
| allow execns sysfs_net:dir { search }; |
| allowxperm execns self:udp_socket ioctl priv_sock_ioctls; |
| |
| # Allow execns to read createns proc file to get the namespace file |
| allow execns createns:file read; |
| allow execns createns:dir search; |
| allow execns createns:lnk_file read; |
