1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13type fwmark_service, dev_attr, file_attr; 14type dnsproxy_service, dev_attr, file_attr; 15 16allow netmanager accesstoken_service:binder { call }; 17allow netmanager data_data_file:dir { search }; 18allow netmanager data_data_file:file { open read }; 19allow netmanager data_file:dir { remove_name rmdir search }; 20allow netmanager data_init_agent:dir { search }; 21allow netmanager data_init_agent:file { ioctl open read append }; 22allow netmanager data_service_el1_file:dir { add_name create getattr ioctl lock open read remove_name rmdir search setattr unlink write }; 23allow netmanager data_service_el1_file:file { append create getattr ioctl lock map open read setattr unlink write }; 24allow netmanager data_service_file:dir { add_name create getattr ioctl lock open read remove_name search setattr unlink write }; 25allow netmanager data_system:dir { add_name search write }; 26allow netmanager data_system:file { ioctl }; 27allow netmanager dev_unix_socket:dir { search }; 28allow netmanager download_server:binder { call }; 29allow netmanager foundation:binder { call transfer }; 30allow netmanager kernel:unix_stream_socket { connectto }; 31allow netmanager musl_param:file { read }; 32allow netmanager netmanager:capability { net_admin }; 33allow netmanager netmanager:capability { net_raw }; 34allow netmanager netmanager:netlink_route_socket { create nlmsg_read read write }; 35allow netmanager netmanager:packet_socket { bind create read write }; 36allow netmanager netmanager:tcp_socket { connect create getattr getopt read setopt write }; 37allow netmanager netmanager:udp_socket { bind connect create getattr ioctl read write setopt getopt }; 38allow netmanager netmanager:unix_dgram_socket { ioctl }; 39allow netmanager netsysnative:binder { call }; 40allow netmanager node:udp_socket { node_bind }; 41allow netmanager paramservice_socket:sock_file write; 42allow netmanager persist_param:parameter_service set; 43allow netmanager port:tcp_socket { name_connect }; 44allow netmanager port:udp_socket { name_bind }; 45allow netmanager sh:binder { call }; 46allow netmanager system_bin_file:dir { search }; 47allow netmanager system_bin_file:file { execute execute_no_trans map read open }; 48allow netmanager system_core_hap:binder { call }; 49allow netmanager telephony_sa:binder { call }; 50allow netmanager time_service:binder { call }; 51allow netmanager wifi_manager_service:binder { call transfer }; 52allow netmanager sa_comm_net_tethering_manager_service:samgr_class { add }; 53allow netmanager sa_net_conn_manager:samgr_class { get }; 54allow netmanager sa_wifi_hotspot_ability:samgr_class { get }; 55allow netmanager sa_wifi_p2p_ability:samgr_class { get }; 56allow netmanager sa_wifi_scan_ability:samgr_class { get }; 57allow netmanager sa_wifi_device_ability:samgr_class { get }; 58allow netmanager sa_bluetooth_server:samgr_class { get }; 59allow netmanager bluetooth_service:binder { call transfer }; 60allow system_core_hap sa_comm_net_tethering_manager_service:samgr_class { get }; 61allow sh sa_comm_net_tethering_manager_service:samgr_class { get }; 62allow sh netmanager:binder { call transfer }; 63allow netmanager kernel:system { module_request }; 64allow netmanager accessibility_param:file { read open map }; 65allow netmanager fwmark_service:sock_file { write }; 66allow netmanager dnsproxy_service:sock_file { write }; 67allow netmanager netmanager:process { setfscreate }; 68allow netmanager usb_service:binder { call }; 69allow netmanager sa_usb_service:samgr_class { get }; 70allow init configfs:dir { rmdir }; 71allowxperm netmanager data_service_el1_file:file ioctl { 0x5413 }; 72allowxperm netmanager data_init_agent:file ioctl { 0x5413 }; 73allowxperm netmanager netmanager:udp_socket ioctl { 0x8915 0x8916 0x891b 0x891c 0x8933 }; 74allowxperm netmanager netmanager:unix_dgram_socket ioctl { 0x8910 }; 75allow netsysnative netmanager:fd { use }; 76allow netsysnative netmanager:tcp_socket { read write bind getopt setopt connect }; 77allow netmanager sa_foundation_appms:samgr_class { get }; 78 79debug_only(` 80 allow sh sa_comm_ethernet_manager_service:samgr_class { add get }; 81') 82 83allow sa_comm_ethernet_manager_service sa_comm_ethernet_manager_service:samgr_class { add get }; 84allow system_basic_hap sa_comm_ethernet_manager_service:samgr_class { add get }; 85allow system_core_hap sa_comm_ethernet_manager_service:samgr_class { add get }; 86