Allow netmgrd to execute sh.
It invokes helper programs such as /system/bin/ip via sh -c.
In the future, look at reworking netmgrd to directly invoke
the helper programs and/or to transition to a different domain
upon sh invocation to shed unnecessary permissions.
Also rewrite the system_file rule for /system/bin/ip to use
the rx_file_perms macro for consistency.
Change-Id: I407d4503868e928dd876cce932fe6a96fcbd4e0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 90f68f2..7bec8bd 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -20,8 +20,12 @@
# Talk to qmuxd (qmux_radio)
qmux_socket(netmgrd)
+# Runs commands via sh.
+# TODO: Convert to direct exec of /system/bin/ip and any other helpers.
+allow netmgrd shell_exec:file rx_file_perms;
+
# Runs /system/bin/ip addr flush dev <device> commands.
-allow netmgrd system_file:file execute_no_trans;
+allow netmgrd system_file:file rx_file_perms;
# set net.rmnet* properties.
unix_socket_connect(netmgrd, property, init)