common/netmgrd.te

type netmgrd, domain;
type netmgrd_exec, exec_type, file_type;
net_domain(netmgrd)
init_daemon_domain(netmgrd)

userdebug_or_eng(`
  domain_auto_trans(shell, netmgrd_exec, netmgrd)
  domain_auto_trans(adbd, netmgrd_exec, netmgrd)
')

#Allow files to be written during the operation of netmgrd
file_type_auto_trans(netmgrd, system_data_file, data_test_data_file)

#Allow netmgrd operations
allow netmgrd netmgrd:capability { dac_override net_raw net_admin sys_module fsetid setgid setuid setpcap };

#Allow access to kernel modules
allow netmgrd kernel:system { module_request };

#Allow logging
allow netmgrd diag_device:chr_file { rw_file_perms };
allow netmgrd smem_log_device:chr_file { rw_file_perms };

#Allow operations on different types of sockets
allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
allow netmgrd netmgrd:netlink_xfrm_socket { create bind };
allow netmgrd netmgrd:netlink_socket { write read create bind };
allow netmgrd netmgrd:socket { create ioctl };
allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
allow netmgrd init:unix_stream_socket { connectto };
allow netmgrd property_socket:sock_file write;

qmux_socket(netmgrd);

#Allow writing of ipv6 network properties
allow netmgrd proc_net:file { write };

#Allow address configuration
allow netmgrd system_prop:property_service { set };

#Allow setting of DNS and GW Android properties
allow netmgrd net_radio_prop:property_service { set };

#Allow execution of commands in shell
allow netmgrd system_file:file { execute_no_trans };

allow netmgrd self:socket create_socket_perms;
allow netmgrd sysfs_esoc:dir r_dir_perms;

#Allow communication with netd
allow netmgrd netd_socket:sock_file write;

#Allow nemtgrd to use esoc api's to determine target
allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans };
allow netmgrd sysfs_esoc:lnk_file read;

r_dir_file(netmgrd, sysfs_ssr);