bsp/non_plat/wo_ipsec.te - LeafOS-Devices/android_device_mediatek_sepolicy - Gitiles

 # ==============================================
 # Policy File of /vendor/bin/wo_ipsec Executable File

 # ==============================================
 # Common SEPolicy Rule
 # ==============================================

 type wo_ipsec_exec, exec_type, file_type, vendor_file_type;

 net_domain(wo_ipsec)

 domain_auto_trans(wo_ipsec, netutils_wrapper_exec, netutils_wrapper)

 # Purpose :  access xfrm
 allow wo_ipsec proc_net:file w_file_perms;

 # Purpose :  send command to epdg_wod
 allow wo_ipsec wo_epdg_ipsec_socket:sock_file write;

 # Purpose :  create socket for IKEv2 protocol
 allow wo_ipsec node:udp_socket node_bind;
 allow wo_ipsec port:tcp_socket name_connect;
 allow wo_ipsec port:udp_socket name_bind;

 # Purpose :  Query DNS address
 allow wo_ipsec netd:unix_stream_socket connectto;
 allow wo_ipsec dnsproxyd_socket:sock_file write;

 # Purpose :  access socket of wod and property
 allow wo_ipsec wo_epdg_client:unix_stream_socket { read write connectto };

 # Purpose :  output to /dev/null
 allow wo_ipsec wo_epdg_client:fd use;

 # Purpose :  starter invoke charon
 allow wo_ipsec wo_charon_exec:file execute_no_trans;

 # Purpose :  charon set fwmark
 allow wo_ipsec fwmarkd_socket:sock_file write;

 # Purpose :  send/receive packet to/from peer
 allow wo_ipsec self:tcp_socket { write getattr connect read getopt create };
 allow wo_ipsec self:udp_socket { write bind create read setopt };

 # Purpose :  kernel ip/route operations
 allow wo_ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read };
 allow wo_ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read };

 # Purpose :  charon read certs
 allow wo_ipsec custom_file:dir r_dir_perms;
 allow wo_ipsec custom_file:file r_file_perms;

 # Purpose : set alarm for DPD
 allow wo_ipsec self:capability2 wake_alarm;

 allow wo_ipsec devpts:chr_file rw_file_perms;

 allow wo_ipsec proc_modules:file r_file_perms;
 allow wo_ipsec vendor_shell_exec:file rx_file_perms;;
 allow wo_ipsec netd_socket:sock_file write;

 allow wo_ipsec vendor_toolbox_exec:file x_file_perms;
 allow wo_ipsec kernel:system module_request;
	# ==============================================
	# Policy File of /vendor/bin/wo_ipsec Executable File

	# ==============================================
	# Common SEPolicy Rule
	# ==============================================

	type wo_ipsec_exec, exec_type, file_type, vendor_file_type;

	net_domain(wo_ipsec)

	domain_auto_trans(wo_ipsec, netutils_wrapper_exec, netutils_wrapper)

	# Purpose : access xfrm
	allow wo_ipsec proc_net:file w_file_perms;

	# Purpose : send command to epdg_wod
	allow wo_ipsec wo_epdg_ipsec_socket:sock_file write;

	# Purpose : create socket for IKEv2 protocol
	allow wo_ipsec node:udp_socket node_bind;
	allow wo_ipsec port:tcp_socket name_connect;
	allow wo_ipsec port:udp_socket name_bind;

	# Purpose : Query DNS address
	allow wo_ipsec netd:unix_stream_socket connectto;
	allow wo_ipsec dnsproxyd_socket:sock_file write;

	# Purpose : access socket of wod and property
	allow wo_ipsec wo_epdg_client:unix_stream_socket { read write connectto };

	# Purpose : output to /dev/null
	allow wo_ipsec wo_epdg_client:fd use;

	# Purpose : starter invoke charon
	allow wo_ipsec wo_charon_exec:file execute_no_trans;

	# Purpose : charon set fwmark
	allow wo_ipsec fwmarkd_socket:sock_file write;

	# Purpose : send/receive packet to/from peer
	allow wo_ipsec self:tcp_socket { write getattr connect read getopt create };
	allow wo_ipsec self:udp_socket { write bind create read setopt };

	# Purpose : kernel ip/route operations
	allow wo_ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read };
	allow wo_ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read };

	# Purpose : charon read certs
	allow wo_ipsec custom_file:dir r_dir_perms;
	allow wo_ipsec custom_file:file r_file_perms;

	# Purpose : set alarm for DPD
	allow wo_ipsec self:capability2 wake_alarm;

	allow wo_ipsec devpts:chr_file rw_file_perms;

	allow wo_ipsec proc_modules:file r_file_perms;
	allow wo_ipsec vendor_shell_exec:file rx_file_perms;;
	allow wo_ipsec netd_socket:sock_file write;

	allow wo_ipsec vendor_toolbox_exec:file x_file_perms;
	allow wo_ipsec kernel:system module_request;