path: root/sepolicy/netmgrd.te

net_domain(netmgrd)

# Grant access to Qualcomm MSM Interface (QMI) radio sockets
qmux_socket(netmgrd)

wakelock_use(netmgrd)

# create socket in /dev/socket/netmgrd/
allow netmgrd netmgrd_socket:dir rw_dir_perms;
allow netmgrd netmgrd_socket:sock_file create_file_perms;

# communicate with netd
unix_socket_connect(netmgrd, netd, netd)

allow netmgrd proc_net:file rw_file_perms;

allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };

# read /data/misc/net
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd net_data_file:file r_file_perms;
# read and write /data/misc/netmgr
userdebug_or_eng(`
  allow netmgrd netmgr_data_file:dir rw_dir_perms;
  allow netmgrd netmgr_data_file:file create_file_perms;
')

# execute shell, ip, and toolbox
allow netmgrd vendor_shell_exec:file rx_file_perms;
allow netmgrd vendor_toolbox_exec:file rx_file_perms;

# netmgrd sockets
allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
allow netmgrd self:rawip_socket create_socket_perms_no_ioctl;
allow netmgrd self:socket create_socket_perms;
# in addition to ioctl commands granted to domain allow netmgrd to use:
allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;

set_prop(netmgrd, net_radio_prop)

# read files in /sys
r_dir_file(netmgrd, sysfs_type)
allow netmgrd sysfs_net:file write;

userdebug_or_eng(`
  allow netmgrd diag_device:chr_file rw_file_perms;
')

# For netmgrd to be able to execute netutils wrappers
domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper)
allow netmgrd netutils_wrapper_exec:file { open read getattr execute };
allow netmgrd netutils_wrapper:process sigkill;