Home | History | Annotate | Download | only in sepolicy 
      1 # Policy for /vendor/bin/netmgrd
      2 type netmgrd, domain;
      3 type netmgrd_exec, exec_type, vendor_file_type, file_type;
      4 
      5 init_daemon_domain(netmgrd)
      6 net_domain(netmgrd)
      7 
      8 # Grant access to Qualcomm MSM Interface (QMI) radio sockets
      9 qmux_socket(netmgrd)
     10 
     11 wakelock_use(netmgrd)
     12 
     13 # create socket in /dev/socket/netmgrd/
     14 allow netmgrd netmgrd_socket:dir rw_dir_perms;
     15 allow netmgrd netmgrd_socket:sock_file create_file_perms;
     16 
     17 allow netmgrd proc_net_type:file rw_file_perms;
     18 
     19 allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };
     20 
     21 
     22 # TODO(b/36682246): Remove data_between_core_and_vendor_violators once
     23 # netmgrd no longer directly accesses /data owned by the frameworks.
     24 typeattribute netmgrd data_between_core_and_vendor_violators;
     25 # read /data/misc/net
     26 allow netmgrd net_data_file:dir r_dir_perms;
     27 allow netmgrd net_data_file:file r_file_perms;
     28 # read and write /data/misc/netmgr
     29 userdebug_or_eng(`
     30   allow netmgrd netmgr_data_file:dir rw_dir_perms;
     31   allow netmgrd netmgr_data_file:file create_file_perms;
     32 ')
     33 
     34 # execute shell, ip, and toolbox
     35 allow netmgrd vendor_shell_exec:file rx_file_perms;
     36 allow netmgrd vendor_toolbox_exec:file rx_file_perms;
     37 
     38 # netmgrd sockets
     39 allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
     40 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
     41 allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
     42 allow netmgrd self:rawip_socket create_socket_perms_no_ioctl;
     43 allow netmgrd self:socket create_socket_perms;
     44 # in addition to ioctl commands granted to domain allow netmgrd to use:
     45 allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
     46 allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
     47 
     48 set_prop(netmgrd, net_radio_prop)
     49 
     50 # read files in /sys
     51 r_dir_file(netmgrd, sysfs_type)
     52 allow netmgrd sysfs_net:file write;
     53 
     54 userdebug_or_eng(`
     55   allow netmgrd diag_device:chr_file rw_file_perms;
     56 ')
     57 
     58 # For netmgrd to be able to execute netutils wrappers
     59 domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper)
     60 allow netmgrd netutils_wrapper_exec:file { open read getattr execute };
     61 allow netmgrd netutils_wrapper:process sigkill;
     62