diff options
| author | Sandeep Patil <sspatil@google.com> | 2017-04-14 17:49:05 -0700 |
|---|---|---|
| committer | Cosme Domínguez Díaz <cosme.ddiaz@gmail.com> | 2018-04-09 01:31:37 +0200 |
| commit | 654ffe0d79d75db93f3dab124386fcae92eacfd3 (patch) | |
| tree | 6867b1b5167bf073439f4e33fcfc33d560fadf76 /sepolicy/netmgrd.te | |
| parent | da427996570c7ec070e61d191e0fc8d0db778bcf (diff) | |
netmgrd: use netutils_wrappers
Add required permissions for netmgrd to use the new netutils wrappers
Bug: 36463595
Test: boot sailfish, test LTE, wifi, wifi calling and phone calls work
Change-Id: I5894ee2659f97fce4f4f2b16c54c10f42484b454
Signed-off-by: Sandeep Patil <sspatil@google.com>
Diffstat (limited to 'sepolicy/netmgrd.te')
| -rw-r--r-- | sepolicy/netmgrd.te | 60 |
1 files changed, 55 insertions, 5 deletions
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 0f20b71..c7ed94d 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,5 +1,55 @@ -type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt"; -allow netmgrd self:capability dac_override; -allow netmgrd netmgrd_data_file:file rw_file_perms; -allow netmgrd diag_device:chr_file { read write }; -allow netmgrd net_data_file:dir read; +net_domain(netmgrd) + +# Grant access to Qualcomm MSM Interface (QMI) radio sockets +qmux_socket(netmgrd) + +wakelock_use(netmgrd) + +# create socket in /dev/socket/netmgrd/ +allow netmgrd netmgrd_socket:dir rw_dir_perms; +allow netmgrd netmgrd_socket:sock_file create_file_perms; + +# communicate with netd +unix_socket_connect(netmgrd, netd, netd) + +allow netmgrd proc_net:file rw_file_perms; + +allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; + +# read /data/misc/net +allow netmgrd net_data_file:dir r_dir_perms; +allow netmgrd net_data_file:file r_file_perms; +# read and write /data/misc/netmgr +userdebug_or_eng(` + allow netmgrd netmgr_data_file:dir rw_dir_perms; + allow netmgrd netmgr_data_file:file create_file_perms; +') + +# execute shell, ip, and toolbox +allow netmgrd vendor_shell_exec:file rx_file_perms; +allow netmgrd vendor_toolbox_exec:file rx_file_perms; + +# netmgrd sockets +allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; +allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netmgrd self:rawip_socket create_socket_perms_no_ioctl; +allow netmgrd self:socket create_socket_perms; +# in addition to ioctl commands granted to domain allow netmgrd to use: +allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; +allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; + +set_prop(netmgrd, net_radio_prop) + +# read files in /sys +r_dir_file(netmgrd, sysfs_type) +allow netmgrd sysfs_net:file write; + +userdebug_or_eng(` + allow netmgrd diag_device:chr_file rw_file_perms; +') + +# For netmgrd to be able to execute netutils wrappers +domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) +allow netmgrd netutils_wrapper_exec:file { open read getattr execute }; +allow netmgrd netutils_wrapper:process sigkill; |