1get_prop(domain, camera_prop) 2 3dontaudit domain self:capability sys_module; 4 5# limit the socket ioctl commands granted to all domain processes. 6# Only allow unprivilaged commands unless explicitly granted. 7allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } 8 ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; 9 10# unix/stream sockets are already locked down in core policy. 11# Ioctl commands on the socket class are used in a few domains. e.g. location. 12# Whitelisting command 0 (a no-op command) forces all domains to specify a 13# whitelist when using the following socket classes. 14# TODO remove the ioctl command for socket classes that do not use it. 15allowxperm domain domain:{ 16 socket 17 netlink_generic_socket 18 netlink_kobject_uevent_socket 19 tun_socket 20 netlink_socket 21 netlink_tcpdiag_socket 22 netlink_nflog_socket 23 packet_socket 24 netlink_xfrm_socket 25 netlink_audit_socket 26 netlink_netfilter_socket 27 key_socket 28} ioctl { 0 }; 29 30# line in the (se)sand: DO NOT grant net_admin capability! 31neverallow { 32 domain 33 -bluetooth 34 -clatd 35 -dhcp 36 -dnsmasq 37 -dumpstate 38 -healthd 39 -hostapd 40 -init 41 -netd 42 -ppp 43 -racoon 44 -rild 45 -system_server 46 -ueventd 47 -vold 48 -wpa 49 # device specific 50 -netmgrd 51 -cnss-daemon # STOPSHIP b/28340421 52 -cnss_diag # STOPSHIP b/28340421 53 -location # STOPSHIP b/28340421 54} self:capability net_admin; 55 56neverallow domain *:{ 57 appletalk_socket 58 netlink_firewall_socket 59 netlink_ip6fw_socket 60 netlink_dnrt_socket 61 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 62 netlink_scsitransport_socket 63 netlink_rdma_socket netlink_crypto_socket 64} *; 65