1# ============================================== 2# MTK Policy Rule 3# ============================================== 4 5# New added for move to /system 6type netdiag_exec, system_file_type, exec_type, file_type; 7typeattribute netdiag coredomain; 8 9init_daemon_domain(netdiag) 10 11# Purpose : for access storage file 12allow netdiag sdcard_type:dir create_dir_perms; 13allow netdiag sdcard_type:file create_file_perms; 14allow netdiag domain:dir search; 15allow netdiag domain:file { read open }; 16allow netdiag net_data_file:file r_file_perms; 17allow netdiag net_data_file:dir search; 18allow netdiag storage_file:dir search; 19allow netdiag storage_file:lnk_file read; 20allow netdiag mnt_user_file:dir search; 21allow netdiag mnt_user_file:lnk_file read; 22allow netdiag platform_app:dir search; 23allow netdiag untrusted_app:dir search; 24allow netdiag mnt_media_rw_file:dir search; 25allow netdiag vfat:dir create_dir_perms; 26allow netdiag vfat:file create_file_perms; 27allow netdiag tmpfs:lnk_file read; 28allow netdiag system_file:file rx_file_perms; 29 30# Purpose : for shell, set uid and gid 31allow netdiag self:capability { net_admin setuid net_raw setgid}; 32allow netdiag shell_exec:file rx_file_perms; 33 34 35#access /proc/318/net/psched 36allow netdiag proc_net:file r_file_perms; 37 38# Purpose : for ping 39allow netdiag dnsproxyd_socket:sock_file write; 40allow netdiag fwmarkd_socket:sock_file write; 41allow netdiag netd:unix_stream_socket connectto; 42allow netdiag self:udp_socket connect; 43 44# Purpose : for service permission 45typeattribute netdiag mlstrustedsubject; 46allow netdiag connectivity_service:service_manager find; 47allow netdiag netstats_service:service_manager find; 48allow netdiag system_server:binder call; 49allow system_server netdiag:fd use; 50allow netdiag servicemanager:binder call; 51binder_use(netdiag) 52 53# Purpose : for dumpsys permission 54allow netdiag connmetrics_service:service_manager find; 55allow netdiag netpolicy_service:service_manager find; 56allow netdiag network_management_service:service_manager find; 57allow netdiag settings_service:service_manager find; 58 59# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop 60get_prop(netdiag, device_logging_prop) 61get_prop(netdiag, mmc_prop) 62allow netdiag proc_net:dir { read open }; 63get_prop(netdiag, safemode_prop) 64allow netdiag toolbox_exec:file rx_file_perms; 65 66# purpose: allow netdiag to access storage in new version 67allow netdiag media_rw_data_file:file { create_file_perms }; 68allow netdiag media_rw_data_file:dir { create_dir_perms }; 69 70# Purpose : for ip spec output 71allow netdiag self:netlink_xfrm_socket { write getattr setopt read bind create nlmsg_read }; 72 73# Purpose: for socket error of tcpdump 74allow netdiag self:packet_socket { read getopt create setopt }; 75allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP}; 76allow netdiag self:packet_socket { write ioctl map }; 77allow netdiag proc_net_tcp_udp:file r_file_perms; 78 79# Purpose: for ip 80allow netdiag self:netlink_route_socket { write getattr setopt read bind create nlmsg_read }; 81 82# Purpose: for iptables 83allow netdiag kernel:system module_request; 84allow netdiag self:rawip_socket { getopt create }; 85allow netdiag self:udp_socket { ioctl create }; 86 87#Purpose : for network log property 88set_prop(netdiag, system_mtk_debug_netlog_prop) 89set_prop(netdiag, system_mtk_persist_mtklog_prop) 90set_prop(netdiag, system_mtk_debug_mtklog_prop) 91 92# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop 93get_prop(netdiag, device_logging_prop) 94get_prop(netdiag, mmc_prop) 95 96## Android P migration 97allow netdiag proc_qtaguid_stat:dir { read open search }; 98allow netdiag proc_qtaguid_stat:file { read getattr open }; 99# GOOGLE: Commented out for b/169606103 100#get_prop(netdiag, vendor_default_prop) 101allow netdiag proc_net_tcp_udp:file getattr; 102allow netdiag netd:binder call; 103get_prop(netdiag, apexd_prop) 104 105# Q save log into /data/debuglogger 106allow netdiag debuglog_data_file:dir {relabelto create_dir_perms}; 107allow netdiag debuglog_data_file:file create_file_perms; 108 109