policy_module(wireguard, 1.0.0)

########################################
#
# Declarations
#

type wireguard_t;
type wireguard_exec_t;
init_system_domain(wireguard_t, wireguard_exec_t)
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
domain_obj_id_change_exemption(wireguard_t)
role system_r types wireguard_t;

type wireguard_script_t;
type wireguard_script_exec_t;
init_system_domain(wireguard_script_t, wireguard_script_exec_t)
domtrans_pattern(wireguard_script_t, wireguard_exec_t, wireguard_t)

type wireguard_etc_t;
files_type(wireguard_etc_t)

########################################
#
# wireguard Local policy
#

kernel_request_load_module(wireguard_t)

allow wireguard_t self:capability net_admin;
allow wireguard_t self:netlink_generic_socket create_socket_perms;
allow wireguard_t self:netlink_route_socket r_netlink_socket_perms;
allow wireguard_t self:udp_socket create_socket_perms;

allow wireguard_t wireguard_script_t:fifo_file read_fifo_file_perms;

manage_dirs_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
manage_lnk_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
files_etc_filetrans(wireguard_t, wireguard_etc_t, dir)
filetrans_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t, file)

userdom_use_user_ptys(wireguard_t)
domain_use_interactive_fds(wireguard_t)

########################################
#
# wireguard-quick Local policy
#

files_read_etc_files(wireguard_script_t)
corecmd_exec_bin(wireguard_script_t)
corecmd_exec_shell(wireguard_script_t)
sysnet_domtrans_ifconfig(wireguard_script_t)

manage_dirs_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
manage_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
manage_lnk_files_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t)
filetrans_pattern(wireguard_script_t, wireguard_etc_t, wireguard_etc_t, file)

allow wireguard_script_t self:fifo_file rw_fifo_file_perms;

kernel_read_network_state(wireguard_script_t)

miscfiles_read_localization(wireguard_script_t)

userdom_use_user_ptys(wireguard_script_t)
domain_use_interactive_fds(wireguard_script_t)

########################################
#
# optional policy
#

optional_policy(`
        gen_require(`
                type sysadm_t;
		role sysadm_r;
        ')

        wireguard_run(sysadm_t, sysadm_r)
')