1typeattribute netutils_wrapper coredomain; 2typeattribute netutils_wrapper bpfdomain; 3 4r_dir_file(netutils_wrapper, system_file); 5 6# For netutils (ip, iptables, tc) 7allow netutils_wrapper self:global_capability_class_set net_raw; 8 9allow netutils_wrapper system_file:file { execute execute_no_trans }; 10allow netutils_wrapper proc_net_type:file { open read getattr }; 11allow netutils_wrapper self:rawip_socket create_socket_perms; 12allow netutils_wrapper self:udp_socket create_socket_perms; 13allow netutils_wrapper self:global_capability_class_set net_admin; 14# ip utils need everything but ioctl 15allow netutils_wrapper self:netlink_route_socket ~ioctl; 16allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; 17 18# For netutils (ndc) to be able to talk to netd 19allow netutils_wrapper netd_service:service_manager find; 20allow netutils_wrapper dnsresolver_service:service_manager find; 21allow netutils_wrapper mdns_service:service_manager find; 22binder_use(netutils_wrapper); 23binder_call(netutils_wrapper, netd); 24 25# For vendor code that update the iptables rules at runtime. They need to reload 26# the whole chain including the xt_bpf rules. They need to access to the pinned 27# program when reloading the rule. 28allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search; 29allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read }; 30allow netutils_wrapper { fs_bpf }:file write; 31allow netutils_wrapper bpfloader:bpf prog_run; 32 33# For /data/misc/net access to ndc and ip 34r_dir_file(netutils_wrapper, net_data_file) 35 36domain_auto_trans({ 37 domain 38 -coredomain 39 -appdomain 40}, netutils_wrapper_exec, netutils_wrapper) 41 42# suppress spurious denials 43dontaudit netutils_wrapper self:global_capability_class_set sys_resource; 44dontaudit netutils_wrapper sysfs_type:file read; 45 46# netutils wrapper may only use the following capabilities. 47neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw }; 48