Gitiles
Code Review Sign In
review.blissroms.org / platform_device_qcom_sepolicy-legacy / refs/heads/rebase / . / common / netmgrd.te
blob: 714f5419c6841c97bb77159378851b6994f652f9 [file] [log] [blame]
Biswajit Paul6786a922017-03-16 11:53:53 -0700[diff] [blame]1type netmgrd, domain;
Ravi Kumar Siddojigaric7def122017-06-13 00:49:19 +0530[diff] [blame]2type netmgrd_exec, exec_type, vendor_file_type, file_type;
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]3net_domain(netmgrd)
4init_daemon_domain(netmgrd)
Subash Abhinov Kasiviswanathan1b307e72014-03-04 11:09:42 -0700[diff] [blame]5
6userdebug_or_eng(`
Shruthi Krishnaf1b38f72014-07-25 16:21:53 -0700[diff] [blame]7 domain_auto_trans(shell, netmgrd_exec, netmgrd)
David Nga658efb2016-10-07 11:38:22 -0700[diff] [blame]8 #domain_auto_trans(adbd, netmgrd_exec, netmgrd)
Biswajit Paul277acbb2016-07-20 12:02:14 -0700[diff] [blame]9 diag_use(netmgrd)
Subash Abhinov Kasiviswanathana97c94d2017-06-04 21:41:28 -0600[diff] [blame]10 diag_use(netutils_wrapper)
Subash Abhinov Kasiviswanathan1b307e72014-03-04 11:09:42 -0700[diff] [blame]11')
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]12
13#Allow files to be written during the operation of netmgrd
14file_type_auto_trans(netmgrd, system_data_file, data_test_data_file)
15
16#Allow netmgrd operations
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]17allow netmgrd netmgrd:capability {
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]18 net_raw
19 net_admin
20 sys_module
21 fsetid
22 setgid
23 setuid
24 setpcap
25};
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]26
27#Allow logging
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]28allow netmgrd smem_log_device:chr_file rw_file_perms;
Subash Abhinov Kasiviswanathan121430c2017-05-25 17:35:27 -0600[diff] [blame]29allow netmgrd netmgrd_data_file:file create_file_perms;
30allow netmgrd netmgrd_data_file:dir w_dir_perms;
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]31
Subash Abhinov Kasiviswanathanf7bacd82017-05-30 17:37:15 -0600[diff] [blame]32#Allow netutils usage
Subash Abhinov Kasiviswanathana97c94d2017-06-04 21:41:28 -0600[diff] [blame]33use_netutils(netmgrd)
34allow netutils_wrapper netmgrd_data_file:file rw_file_perms;
35allow netutils_wrapper wcnss_service_exec:file rx_file_perms;
Subash Abhinov Kasiviswanathan218f5402017-08-23 20:14:47 -0600[diff] [blame]36allow netmgrd netutils_wrapper:process sigkill;
Subash Abhinov Kasiviswanathanf7bacd82017-05-30 17:37:15 -0600[diff] [blame]37
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]38#Allow operations on different types of sockets
39allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
Biswajit Paul2d35d982017-02-01 17:40:10 -0800[diff] [blame]40allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]41allow netmgrd netmgrd:netlink_socket { write read create bind };
Biswajit Paul2d35d982017-02-01 17:40:10 -0800[diff] [blame]42allow netmgrd netmgrd:socket { create };
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]43allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
Biswajit Paul2d35d982017-02-01 17:40:10 -0800[diff] [blame]44allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
45allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]46
Subash Abhinov Kasiviswanathan4ac88c62014-11-07 14:13:41 -0700[diff] [blame]47unix_socket_connect(netmgrd, cnd, cnd);
48
Biswajit Paul64f83f62014-10-13 14:36:16 -0700[diff] [blame]49qmux_socket(netmgrd);
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]50
51#Allow writing of ipv6 network properties
Vladimir Olteanc17f8db2018-09-26 23:35:50 +0300[diff] [blame]52allow netmgrd { proc_net sysfs_net }:file rw_file_perms;
53allow netmgrd sysfs_net:dir r_dir_perms;
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]54
Subash Abhinov Kasiviswanathan1b307e72014-03-04 11:09:42 -0700[diff] [blame]55#Allow address configuration
Subash Abhinov Kasiviswanathan4e2e5af2014-10-16 13:37:05 -0600[diff] [blame]56#Allow setting of DNS and GW Android properties
sahil madekaa3608c92017-05-12 15:41:40 -0700[diff] [blame]57set_prop(netmgrd, system_prop)
58set_prop(netmgrd, net_radio_prop)
59set_prop(netmgrd, xlat_prop)
Subash Abhinov Kasiviswanathan5b74d712016-02-04 17:22:18 -0700[diff] [blame]60
Avijit Kanti Das353e9292014-07-23 23:39:30 -0700[diff] [blame]61#Allow execution of commands in shell
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]62allow netmgrd system_file:file x_file_perms;
Avijit Kanti Dasf91f2ba2014-09-24 17:08:13 -0700[diff] [blame]63
Biswajit Paulcc0e05e2017-03-08 16:20:35 -0800[diff] [blame]64allow netmgrd self:socket create_socket_perms;
Avijit Kanti Dasfe61c2d2014-10-16 20:17:03 -0700[diff] [blame]65allow netmgrd sysfs_esoc:dir r_dir_perms;
Avijit Kanti Dasf91f2ba2014-09-24 17:08:13 -0700[diff] [blame]66
67#Allow communication with netd
Ravi Kumar Siddojigaric7def122017-06-13 00:49:19 +0530[diff] [blame]68#allow netmgrd netd_socket:sock_file w_file_perms;
69#r_dir_file(netmgrd, net_data_file)
Subash Abhinov Kasiviswanathan4e2e5af2014-10-16 13:37:05 -0600[diff] [blame]70
71#Allow nemtgrd to use esoc api's to determine target
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]72allow netmgrd sysfs_esoc:lnk_file r_file_perms;
Avijit Kanti Dasd01b3b32014-10-21 10:30:09 -0700[diff] [blame]73
74r_dir_file(netmgrd, sysfs_ssr);
Avijit Kanti Dase0ef7852014-11-05 10:40:03 -0800[diff] [blame]75
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]76allow netmgrd sysfs:file w_file_perms;
Sunmeet Gill575d2492017-05-22 19:03:52 -0700[diff] [blame]77allow netmgrd sysfs_data:file r_file_perms;
Avijit Kanti Dasd6e8d8e2014-11-07 10:27:44 -0800[diff] [blame]78
Subash Abhinov Kasiviswanathanb8943bd2017-05-05 19:34:18 -0600[diff] [blame]79#Acquire lock on /system/etc/xtables.lock
80#Required till netutils wrappers are available
sahil madekaa3608c92017-05-12 15:41:40 -0700[diff] [blame]81not_full_treble(`allow netmgrd system_file:file lock;')
Subash Abhinov Kasiviswanathanb8943bd2017-05-05 19:34:18 -0600[diff] [blame]82
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]83#Allow netmgrd to create netmgrd socket
84allow netmgrd netmgrd_socket:dir create_dir_perms;
85allow netmgrd netmgrd_socket:sock_file create_file_perms;
86
Ravi Kumar Siddojigaric7def122017-06-13 00:49:19 +0530[diff] [blame]87allow netmgrd { wcnss_service_exec vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
Subash Abhinov Kasiviswanathan8bd40cd2015-09-29 18:48:44 -0600[diff] [blame]88
89#Allow netmgrd to use wakelock
90wakelock_use(netmgrd)
Biswajit Paulcc0e05e2017-03-08 16:20:35 -0800[diff] [blame]91
92allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
Subash Abhinov Kasiviswanathan40124862017-05-08 16:46:54 -0600[diff] [blame]93allowxperm netmgrd self:udp_socket ioctl rmnet_sock_ioctls;
Biswajit Paulcc0e05e2017-03-08 16:20:35 -0800[diff] [blame]94allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
Subash Abhinov Kasiviswanathan4828dd02017-08-08 14:22:19 -0600[diff] [blame]95
96#Allow netmgrd to use netd HAL via HIDL
97get_prop(netmgrd, hwservicemanager_prop)
98hwbinder_use(netmgrd)
99binder_call(netmgrd, netd)
100allow netmgrd system_net_netd_hwservice:hwservice_manager find;