| wangxl | 5b6293a | 2015-02-03 21:10:20 +0800 | [diff] [blame^] | 1 | type netmgrd, domain; |
| 2 | type netmgrd_exec, exec_type, file_type; |
| 3 | net_domain(netmgrd) |
| 4 | init_daemon_domain(netmgrd) |
| 5 | |
| 6 | userdebug_or_eng(` |
| 7 | domain_auto_trans(shell, netmgrd_exec, netmgrd) |
| 8 | domain_auto_trans(adbd, netmgrd_exec, netmgrd) |
| 9 | ') |
| 10 | |
| 11 | #Allow files to be written during the operation of netmgrd |
| 12 | file_type_auto_trans(netmgrd, system_data_file, data_test_data_file) |
| 13 | |
| 14 | #Allow netmgrd operations |
| 15 | allow netmgrd netmgrd:capability { dac_override net_raw net_admin sys_module fsetid setgid setuid setpcap }; |
| 16 | |
| 17 | #Allow access to kernel modules |
| 18 | allow netmgrd kernel:system { module_request }; |
| 19 | |
| 20 | #Allow logging |
| 21 | allow netmgrd diag_device:chr_file { rw_file_perms }; |
| 22 | allow netmgrd smem_log_device:chr_file { rw_file_perms }; |
| 23 | |
| 24 | #Allow operations on different types of sockets |
| 25 | allow netmgrd netmgrd:rawip_socket { create getopt setopt write }; |
| 26 | allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read }; |
| 27 | allow netmgrd netmgrd:netlink_socket { write read create bind }; |
| 28 | allow netmgrd netmgrd:socket { create ioctl }; |
| 29 | allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write }; |
| 30 | allow netmgrd init:unix_stream_socket { connectto }; |
| 31 | allow netmgrd property_socket:sock_file write; |
| 32 | |
| 33 | unix_socket_connect(netmgrd, cnd, cnd); |
| 34 | |
| 35 | qmux_socket(netmgrd); |
| 36 | |
| 37 | #Allow writing of ipv6 network properties |
| 38 | allow netmgrd proc_net:file { write }; |
| 39 | |
| 40 | #Allow address configuration |
| 41 | allow netmgrd system_prop:property_service { set }; |
| 42 | |
| 43 | #Allow setting of DNS and GW Android properties |
| 44 | allow netmgrd net_radio_prop:property_service { set }; |
| 45 | |
| 46 | #Allow execution of commands in shell |
| 47 | allow netmgrd system_file:file { execute_no_trans }; |
| 48 | |
| 49 | allow netmgrd self:socket create_socket_perms; |
| 50 | allow netmgrd sysfs_esoc:dir r_dir_perms; |
| 51 | |
| 52 | #Allow communication with netd |
| 53 | allow netmgrd netd_socket:sock_file write; |
| 54 | allow netmgrd net_data_file:file r_file_perms; |
| 55 | allow netmgrd wpa_exec:file rx_file_perms; |
| 56 | allow netmgrd net_data_file:dir r_dir_perms; |
| 57 | |
| 58 | #Allow nemtgrd to use esoc api's to determine target |
| 59 | allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans }; |
| 60 | allow netmgrd sysfs_esoc:lnk_file read; |
| 61 | |
| 62 | r_dir_file(netmgrd, sysfs_ssr); |
| 63 | |
| 64 | allow netmgrd { wcnss_service_exec wpa_exec }:file rx_file_perms; |
| 65 | |
| 66 | allow netmgrd sysfs:file write; |