sepolicy: Add support for dnscrypt-proxy

syphyr · Jun 21, 2020 · 580f2ab · 580f2ab
1 parent 089232a
commit 580f2ab
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 0 deletions.
diff --git a/dnscrypt_proxy.te b/dnscrypt_proxy.te
@@ -0,0 +1,37 @@
+##
+## SEPolicy to execute dnscrypt_proxy (transition from init)
+##
+type dnscrypt_proxy, domain;
+type dnscrypt_proxy_exec, exec_type, file_type;
+
+typeattribute dnscrypt_proxy domain;
+init_daemon_domain(dnscrypt_proxy)
+
+allow dnscrypt_proxy system_file:dir r_dir_perms;
+allow dnscrypt_proxy system_file:file { lock execute_no_trans };
+allow dnscrypt_proxy node:tcp_socket { node_bind };
+allow dnscrypt_proxy node:udp_socket { node_bind };
+allow dnscrypt_proxy port:tcp_socket { name_bind name_connect };
+allow dnscrypt_proxy port:udp_socket { name_bind };
+allow dnscrypt_proxy proc_net:file r_file_perms;
+allow dnscrypt_proxy proc_stat:file r_file_perms;
+allow dnscrypt_proxy properties_device:dir r_dir_perms;
+allow dnscrypt_proxy devpts:chr_file { open read write };
+allow dnscrypt_proxy shell_exec:file rx_file_perms;
+allow dnscrypt_proxy shell_data_file:dir create_dir_perms;
+allow dnscrypt_proxy shell_data_file:file create_file_perms;
+allow dnscrypt_proxy toolbox_exec:file rx_file_perms;
+allow dnscrypt_proxy property_socket:sock_file write;
+allow dnscrypt_proxy self:capability { net_admin net_raw sys_ptrace dac_override };
+allow dnscrypt_proxy self:capability2 block_suspend;
+allow dnscrypt_proxy self:rawip_socket create_socket_perms;
+allow dnscrypt_proxy self:tcp_socket { create_socket_perms listen accept };
+allow dnscrypt_proxy self:udp_socket create_socket_perms;
+allow dnscrypt_proxy init:file r_file_perms;
+allow dnscrypt_proxy init:dir r_dir_perms;
+allow dnscrypt_proxy dnscrypt_proxy_exec:file execute_no_trans;
+allow dnscrypt_proxy kernel:file read;
+allow dnscrypt_proxy rootfs:dir { read open };
+allow dnscrypt_proxy dnsproxyd_socket:sock_file write;
+allow dnscrypt_proxy init:unix_stream_socket connectto;
+set_prop(dnscrypt_proxy, system_prop)
diff --git a/domain.te b/domain.te
@@ -158,6 +158,7 @@ neverallow {
   -vold
   -dumpstate
   -system_server
+  -dnscrypt_proxy
   userdebug_or_eng(`-perfprofd')
 } self:capability sys_ptrace;
 
@@ -543,6 +544,7 @@ neverallow {
   -init
   -shell
   -vold
+  -dnscrypt_proxy
 } shell_data_file:dir no_w_dir_perms;
 
 neverallow {
@@ -553,6 +555,7 @@ neverallow {
   -init
   -installd
   -system_server # why?
+  -dnscrypt_proxy
   userdebug_or_eng(`-uncrypt')
 } shell_data_file:dir { open search };
 
@@ -564,6 +567,7 @@ neverallow {
   -appdomain
   -dumpstate
   -installd
+  -dnscrypt_proxy
   userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;
 

diff --git a/file_contexts b/file_contexts
@@ -402,3 +402,8 @@
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
+
+# dnscrypt-proxy
+/system/bin/dnscrypt           u:object_r:dnscrypt_proxy_exec:s0
+/system/bin/dnscrypt-iptables  u:object_r:dnscrypt_proxy_exec:s0
+/system/xbin/dnscrypt-proxy    u:object_r:dnscrypt_proxy_exec:s0
diff --git a/property_contexts b/property_contexts
@@ -95,3 +95,6 @@ config.                 u:object_r:config_prop:s0
 ro.config.              u:object_r:config_prop:s0
 dalvik.                 u:object_r:dalvik_prop:s0
 ro.dalvik.              u:object_r:dalvik_prop:s0
+
+# Dnscrypt Proxy
+persist.privacy.        u:object_r:system_prop:s0