sepolicy: Allow netutils to use dac_override

Change-Id: I2b7470e568f32a148e0da0254237b8e8ec796706
Corvus-Q · Nov 2, 2020 · 87a78b7 · 87a78b7
1 parent e1a05e9
commit 87a78b7
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/private/domain.te b/private/domain.te
@@ -300,6 +300,7 @@ define(`dac_override_allowed', `{
   lmkd
   migrate_legacy_obb_data
   netd
+  netutils_wrapper
   postinstall_dexopt
   recovery
   rss_hwm_reset

diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
@@ -27,6 +27,9 @@ allow netutils_wrapper fs_bpf:dir search;
 allow netutils_wrapper fs_bpf:file { read write };
 allow netutils_wrapper bpfloader:bpf prog_run;
 
+# For q vendor haxx
+allow netutils_wrapper self:capability dac_override;
+
 # For /data/misc/net access to ndc and ip
 r_dir_file(netutils_wrapper, net_data_file)
 
@@ -41,4 +44,4 @@ dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
 dontaudit netutils_wrapper sysfs_type:file read;
 
 # netutils wrapper may only use the following capabilities.
-neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw dac_override};