| Avijit Kanti Das | 2b495d0 | 2014-10-20 17:43:13 -0700 | [diff] [blame] | 1 | # General definitions |
| 2 | type ipacm, domain; |
| 3 | type ipacm-diag, domain; |
| 4 | type ipacm_exec, exec_type, file_type; |
| 5 | type ipacm-diag_exec, exec_type, file_type; |
| 6 | init_daemon_domain(ipacm) |
| 7 | init_daemon_domain(ipacm-diag) |
| 8 | |
| Skylar Chang | 2c06c3a | 2015-03-09 12:58:40 -0700 | [diff] [blame] | 9 | # associate netdomain to use for accessing internet sockets |
| 10 | net_domain(ipacm) |
| 11 | |
| Avijit Kanti Das | 2b495d0 | 2014-10-20 17:43:13 -0700 | [diff] [blame] | 12 | userdebug_or_eng(` |
| 13 | # Allow using the logging file between ipacm and ipacm-diag |
| 14 | allow ipacm ipacm-diag:unix_dgram_socket sendto; |
| 15 | allow ipacm ipacm_socket:sock_file write; |
| 16 | ') |
| 17 | |
| 18 | # Allow capabilities to perform network operations and interactions with network interfaces |
| 19 | allow ipacm kernel:system module_request; |
| 20 | allow ipacm ipacm:capability net_admin; |
| 21 | |
| 22 | # Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable |
| 23 | allow ipacm ipa_dev:chr_file rw_file_perms; |
| 24 | |
| 25 | # Allow querying the network stack via IOCTLs |
| 26 | allow ipacm ipacm:udp_socket { create ioctl }; |
| 27 | |
| 28 | # Allow receiving NETLINK messages |
| 29 | allow ipacm ipacm:netlink_route_socket { create getopt setopt bind read }; |
| 30 | allow ipacm ipacm:netlink_socket { create setopt bind getattr read write }; |
| 31 | |
| 32 | # Allow creating and modifying the PID file |
| 33 | allow ipacm ipacm_data_file:file create_file_perms; |
| 34 | allow ipacm ipacm_data_file:dir w_dir_perms; |