Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Blame History Permalink
  • Riley Spahn's avatar
    Adding policies for KeyStore MAC. · 1196d2a5
    Riley Spahn authored 
    Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
    1196d2a5
racoon.te 874 B 
# IKE key management daemon
type racoon, domain;
type racoon_exec, exec_type, file_type;

init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;

net_domain(racoon)

binder_use(racoon)

allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;

allow racoon self:key_socket create_socket_perms;
allow racoon self:tun_socket create_socket_perms;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };

# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;

use_keystore(racoon)

# Racoon (VPN) has a restricted set of permissions from the default.
allow racoon keystore:keystore_key {
	get
	sign
	verify
};