From 580f2ab6dd13895f0fe8024004a68e1c71de7496 Mon Sep 17 00:00:00 2001 From: syphyr Date: Sun, 14 Jun 2020 01:24:39 +0200 Subject: [PATCH] sepolicy: Add support for dnscrypt-proxy --- dnscrypt_proxy.te | 37 +++++++++++++++++++++++++++++++++++++ domain.te | 4 ++++ file_contexts | 5 +++++ property_contexts | 3 +++ 4 files changed, 49 insertions(+) create mode 100644 dnscrypt_proxy.te diff --git a/dnscrypt_proxy.te b/dnscrypt_proxy.te new file mode 100644 index 0000000000..66a18fb642 --- /dev/null +++ b/dnscrypt_proxy.te @@ -0,0 +1,37 @@ +## +## SEPolicy to execute dnscrypt_proxy (transition from init) +## +type dnscrypt_proxy, domain; +type dnscrypt_proxy_exec, exec_type, file_type; + +typeattribute dnscrypt_proxy domain; +init_daemon_domain(dnscrypt_proxy) + +allow dnscrypt_proxy system_file:dir r_dir_perms; +allow dnscrypt_proxy system_file:file { lock execute_no_trans }; +allow dnscrypt_proxy node:tcp_socket { node_bind }; +allow dnscrypt_proxy node:udp_socket { node_bind }; +allow dnscrypt_proxy port:tcp_socket { name_bind name_connect }; +allow dnscrypt_proxy port:udp_socket { name_bind }; +allow dnscrypt_proxy proc_net:file r_file_perms; +allow dnscrypt_proxy proc_stat:file r_file_perms; +allow dnscrypt_proxy properties_device:dir r_dir_perms; +allow dnscrypt_proxy devpts:chr_file { open read write }; +allow dnscrypt_proxy shell_exec:file rx_file_perms; +allow dnscrypt_proxy shell_data_file:dir create_dir_perms; +allow dnscrypt_proxy shell_data_file:file create_file_perms; +allow dnscrypt_proxy toolbox_exec:file rx_file_perms; +allow dnscrypt_proxy property_socket:sock_file write; +allow dnscrypt_proxy self:capability { net_admin net_raw sys_ptrace dac_override }; +allow dnscrypt_proxy self:capability2 block_suspend; +allow dnscrypt_proxy self:rawip_socket create_socket_perms; +allow dnscrypt_proxy self:tcp_socket { create_socket_perms listen accept }; +allow dnscrypt_proxy self:udp_socket create_socket_perms; +allow dnscrypt_proxy init:file r_file_perms; +allow dnscrypt_proxy init:dir r_dir_perms; +allow dnscrypt_proxy dnscrypt_proxy_exec:file execute_no_trans; +allow dnscrypt_proxy kernel:file read; +allow dnscrypt_proxy rootfs:dir { read open }; +allow dnscrypt_proxy dnsproxyd_socket:sock_file write; +allow dnscrypt_proxy init:unix_stream_socket connectto; +set_prop(dnscrypt_proxy, system_prop) diff --git a/domain.te b/domain.te index 59de1f1294..1d77581bd2 100644 --- a/domain.te +++ b/domain.te @@ -158,6 +158,7 @@ neverallow { -vold -dumpstate -system_server + -dnscrypt_proxy userdebug_or_eng(`-perfprofd') } self:capability sys_ptrace; @@ -543,6 +544,7 @@ neverallow { -init -shell -vold + -dnscrypt_proxy } shell_data_file:dir no_w_dir_perms; neverallow { @@ -553,6 +555,7 @@ neverallow { -init -installd -system_server # why? + -dnscrypt_proxy userdebug_or_eng(`-uncrypt') } shell_data_file:dir { open search }; @@ -564,6 +567,7 @@ neverallow { -appdomain -dumpstate -installd + -dnscrypt_proxy userdebug_or_eng(`-uncrypt') } shell_data_file:file open; diff --git a/file_contexts b/file_contexts index 085a57bb6a..858eca0301 100644 --- a/file_contexts +++ b/file_contexts @@ -402,3 +402,8 @@ /mnt/user(/.*)? u:object_r:mnt_user_file:s0 /mnt/runtime(/.*)? u:object_r:storage_file:s0 /storage(/.*)? u:object_r:storage_file:s0 + +# dnscrypt-proxy +/system/bin/dnscrypt u:object_r:dnscrypt_proxy_exec:s0 +/system/bin/dnscrypt-iptables u:object_r:dnscrypt_proxy_exec:s0 +/system/xbin/dnscrypt-proxy u:object_r:dnscrypt_proxy_exec:s0 diff --git a/property_contexts b/property_contexts index 4368a989b9..9393e46378 100644 --- a/property_contexts +++ b/property_contexts @@ -95,3 +95,6 @@ config. u:object_r:config_prop:s0 ro.config. u:object_r:config_prop:s0 dalvik. u:object_r:dalvik_prop:s0 ro.dalvik. u:object_r:dalvik_prop:s0 + +# Dnscrypt Proxy +persist.privacy. u:object_r:system_prop:s0