sepolicy/netmgrd.te - device/google/marlin - Git at Google

 # Policy for /vendor/bin/netmgrd
 type netmgrd, domain;
 type netmgrd_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(netmgrd)
 net_domain(netmgrd)

 # Grant access to Qualcomm MSM Interface (QMI) radio sockets
 qmux_socket(netmgrd)

 wakelock_use(netmgrd)

 # create socket in /dev/socket/netmgrd/
 allow netmgrd netmgrd_socket:dir rw_dir_perms;
 allow netmgrd netmgrd_socket:sock_file create_file_perms;

 allow netmgrd proc_net_type:file rw_file_perms;

 allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };


 # TODO(b/36682246): Remove data_between_core_and_vendor_violators once
 # netmgrd no longer directly accesses /data owned by the frameworks.
 typeattribute netmgrd data_between_core_and_vendor_violators;
 # read /data/misc/net
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd net_data_file:file r_file_perms;
 # read and write /data/misc/netmgr
 userdebug_or_eng(`
   allow netmgrd netmgr_data_file:dir rw_dir_perms;
   allow netmgrd netmgr_data_file:file create_file_perms;
 ')

 # execute shell, ip, and toolbox
 allow netmgrd vendor_shell_exec:file rx_file_perms;
 allow netmgrd vendor_toolbox_exec:file rx_file_perms;

 # netmgrd sockets
 allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
 allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
 allow netmgrd self:rawip_socket create_socket_perms_no_ioctl;
 allow netmgrd self:socket create_socket_perms;
 # in addition to ioctl commands granted to domain allow netmgrd to use:
 allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
 allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;

 set_prop(netmgrd, net_radio_prop)

 # read files in /sys
 r_dir_file(netmgrd, sysfs_type)
 allow netmgrd sysfs_net:file write;

 userdebug_or_eng(`
   allow netmgrd diag_device:chr_file rw_file_perms;
 ')

 # For netmgrd to be able to execute netutils wrappers
 domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper)
 allow netmgrd netutils_wrapper_exec:file { open read getattr execute };
 allow netmgrd netutils_wrapper:process sigkill;
	# Policy for /vendor/bin/netmgrd
	type netmgrd, domain;
	type netmgrd_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(netmgrd)
	net_domain(netmgrd)

	# Grant access to Qualcomm MSM Interface (QMI) radio sockets
	qmux_socket(netmgrd)

	wakelock_use(netmgrd)

	# create socket in /dev/socket/netmgrd/
	allow netmgrd netmgrd_socket:dir rw_dir_perms;
	allow netmgrd netmgrd_socket:sock_file create_file_perms;

	allow netmgrd proc_net_type:file rw_file_perms;

	allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };


	# TODO(b/36682246): Remove data_between_core_and_vendor_violators once
	# netmgrd no longer directly accesses /data owned by the frameworks.
	typeattribute netmgrd data_between_core_and_vendor_violators;
	# read /data/misc/net
	allow netmgrd net_data_file:dir r_dir_perms;
	allow netmgrd net_data_file:file r_file_perms;
	# read and write /data/misc/netmgr
	userdebug_or_eng(`
	allow netmgrd netmgr_data_file:dir rw_dir_perms;
	allow netmgrd netmgr_data_file:file create_file_perms;
	')

	# execute shell, ip, and toolbox
	allow netmgrd vendor_shell_exec:file rx_file_perms;
	allow netmgrd vendor_toolbox_exec:file rx_file_perms;

	# netmgrd sockets
	allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
	allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
	allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
	allow netmgrd self:rawip_socket create_socket_perms_no_ioctl;
	allow netmgrd self:socket create_socket_perms;
	# in addition to ioctl commands granted to domain allow netmgrd to use:
	allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
	allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;

	set_prop(netmgrd, net_radio_prop)

	# read files in /sys
	r_dir_file(netmgrd, sysfs_type)
	allow netmgrd sysfs_net:file write;

	userdebug_or_eng(`
	allow netmgrd diag_device:chr_file rw_file_perms;
	')

	# For netmgrd to be able to execute netutils wrappers
	domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper)
	allow netmgrd netutils_wrapper_exec:file { open read getattr execute };
	allow netmgrd netutils_wrapper:process sigkill;