generic/vendor/common/netmgrd.te

# Copyright (c) 2018, 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above
#       copyright notice, this list of conditions and the following
#       disclaimer in the documentation and/or other materials provided
#       with the distribution.
#     * Neither the name of The Linux Foundation nor the names of its
#       contributors may be used to endorse or promote products derived
#       from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_netmgrd, domain;
type vendor_netmgrd_exec, exec_type, vendor_file_type, file_type;

net_domain(vendor_netmgrd)
init_daemon_domain(vendor_netmgrd)

allow vendor_netmgrd vendor_netmgrd_socket:dir w_dir_perms;
allow vendor_netmgrd vendor_netmgrd_socket:sock_file create_file_perms;
allow vendor_netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write };
allow vendor_netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_netmgrd self:netlink_route_socket nlmsg_write;
allow vendor_netmgrd self:netlink_socket create_socket_perms_no_ioctl;
allow vendor_netmgrd self:socket create_socket_perms;
allowxperm vendor_netmgrd self:socket ioctl msm_sock_ipc_ioctls;
allowxperm vendor_netmgrd self:udp_socket ioctl priv_sock_ioctls;
allow vendor_netmgrd self:tipc_socket { create_socket_perms_no_ioctl };

#Allow connections to qmipriod
unix_socket_connect(vendor_netmgrd, vendor_netmgrd, vendor_qmipriod);

allow vendor_netmgrd sysfs_net:dir r_dir_perms;
allow vendor_netmgrd sysfs_net:file rw_file_perms;
allow vendor_netmgrd vendor_sysfs_data:file r_file_perms;

wakelock_use(vendor_netmgrd)

#Allow netutils usage
domain_auto_trans(vendor_netmgrd, netutils_wrapper_exec, netutils_wrapper)

use_netutils(vendor_netmgrd)

#Allow diag logging
allow vendor_netmgrd vendor_sysfs_timestamp_switch:file { read open };
userdebug_or_eng(`
  r_dir_file(vendor_netmgrd, vendor_sysfs_diag)
  allow vendor_netmgrd vendor_debugfs_ipc:dir search;
')

#Ignore if device loading for private IOCTL failed
dontaudit vendor_netmgrd kernel:system { module_request };

allow vendor_netmgrd proc_net:file rw_file_perms;
allow vendor_netmgrd vendor_netmgr_data_file:dir rw_dir_perms;
allow vendor_netmgrd vendor_netmgr_data_file:file create_file_perms;
allow vendor_netmgrd vendor_netmgr_recovery_data_file:file create_file_perms;
allow vendor_netmgrd vendor_netmgr_recovery_data_file:dir rw_dir_perms;

get_prop(vendor_netmgrd, hwservicemanager_prop)
hwbinder_use(vendor_netmgrd)
binder_call(vendor_netmgrd, netd)
allow vendor_netmgrd system_net_netd_hwservice:hwservice_manager find;

# Allow netmgrd to use shsusrd properties
set_prop(vendor_netmgrd, vendor_data_shsusr_prop)
set_prop(vendor_netmgrd, vendor_data_qmipriod_prop)

allow vendor_netmgrd self:capability { net_admin net_raw setgid setpcap setuid kill };

allow vendor_netmgrd vendor_toolbox_exec:file rx_file_perms;

dontaudit vendor_netmgrd kernel:system module_request;
dontaudit vendor_netmgrd self:system module_request;