| # ============================================== |
| # MTK Policy Rule |
| # ============ |
| |
| # Date : WK14.48 |
| # Operation : OperaMaxSystem |
| # Purpose : for MTK_OPERAMAX_SUPPORT |
| |
| type tunman, domain; |
| type tunman_exec, exec_type, file_type; |
| |
| type tunman_socket, file_type, mlstrustedobject; |
| |
| type tunman_prop, property_type; |
| |
| type aee_interim_data_file, file_type, mlstrustedobject; |
| |
| init_daemon_domain(tunman) |
| net_domain(tunman) |
| |
| # Allows connections to /dev/socket/tunman |
| unix_socket_connect(netdomain, tunman, tunman) |
| |
| # Allows us to set 'tunman.protocol' property |
| unix_socket_connect(tunman, property, init) |
| allow tunman tunman_prop:property_service set; |
| |
| # Allows us to talk to netd |
| unix_socket_connect(tunman, netd, netd) |
| |
| # Multiple instance detection (fs lock) |
| allow tunman shell_data_file:dir { search write add_name}; |
| allow tunman shell_data_file:file { create open read write lock }; |
| |
| #allow tunman system_data_file:dir { search write add_name}; |
| #allow tunman system_data_file:file { create open read write lock}; |
| allow tunman system_data_file:file { open read }; |
| |
| # TUN management |
| allow tunman self:capability { net_admin net_raw dac_override }; |
| allow tunman tun_device:chr_file rw_file_perms; |
| allow tunman self:tun_socket create_socket_perms; |
| |
| # Allows Max to use the fd received from Tunman |
| allow appdomain tunman:fd use; |
| |
| # Needed for protect() implementation |
| allow tunman appdomain:fd use; |
| allow tunman appdomain:{ tcp_socket udp_socket } { read write }; |
| |
| # Needed for socket re-tagging |
| allow tunman qtaguid_proc:file { open write }; |
| |
| # |
| #allow tunman socket_device:dir { search write add_name remove_name}; |
| #allow tunman socket_device:sock_file { create open read write lock unlink}; |
| #allow untrusted_app socket_device:sock_file { read write }; |
| |
| allow tunman tunman_socket:dir { search write add_name remove_name}; |
| allow tunman tunman_socket:sock_file { create open read write lock unlink}; |
| allow untrusted_app tunman_socket:sock_file { read write }; |