1# Policy for /vendor/bin/netmgrd 2type netmgrd, domain; 3type netmgrd_exec, exec_type, vendor_file_type, file_type; 4 5init_daemon_domain(netmgrd) 6net_domain(netmgrd) 7 8# Grant access to Qualcomm MSM Interface (QMI) radio sockets 9qmux_socket(netmgrd) 10 11wakelock_use(netmgrd) 12 13# create socket in /dev/socket/netmgrd/ 14allow netmgrd netmgrd_socket:dir rw_dir_perms; 15allow netmgrd netmgrd_socket:sock_file create_file_perms; 16 17allow netmgrd proc_net_type:file rw_file_perms; 18 19allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; 20 21 22# TODO(b/36682246): Remove data_between_core_and_vendor_violators once 23# netmgrd no longer directly accesses /data owned by the frameworks. 24typeattribute netmgrd data_between_core_and_vendor_violators; 25# read /data/misc/net 26allow netmgrd net_data_file:dir r_dir_perms; 27allow netmgrd net_data_file:file r_file_perms; 28# read and write /data/misc/netmgr 29userdebug_or_eng(` 30 allow netmgrd netmgr_data_file:dir rw_dir_perms; 31 allow netmgrd netmgr_data_file:file create_file_perms; 32') 33 34# execute shell, ip, and toolbox 35allow netmgrd vendor_shell_exec:file rx_file_perms; 36allow netmgrd vendor_toolbox_exec:file rx_file_perms; 37 38# netmgrd sockets 39allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 40allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; 41allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 42allow netmgrd self:rawip_socket create_socket_perms_no_ioctl; 43allow netmgrd self:socket create_socket_perms; 44# in addition to ioctl commands granted to domain allow netmgrd to use: 45allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; 46allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; 47 48set_prop(netmgrd, net_radio_prop) 49 50# read files in /sys 51r_dir_file(netmgrd, sysfs_type) 52allow netmgrd sysfs_net:file write; 53 54userdebug_or_eng(` 55 allow netmgrd diag_device:chr_file rw_file_perms; 56') 57 58# For netmgrd to be able to execute netutils wrappers 59domain_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) 60allow netmgrd netutils_wrapper_exec:file { open read getattr execute }; 61allow netmgrd netutils_wrapper:process sigkill; 62