sepolicy/apmanager.te - device/generic/brillo - Git at Google

 # Domain for apmanager daemon.
 type apmanager, domain;
 type apmanager_exec, exec_type, file_type;
 type apmanager_data_file, file_type, data_file_type;

 brillo_domain(apmanager)
 net_domain(apmanager)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(apmanager)

 # Allow to pass file descriptors from apmanager over D-Bus.
 allow dbus_daemon apmanager:fd use;
 allow dbus_daemon apmanager_data_file:file r_file_perms;
 allow dbus_daemon apmanager:fifo_file r_file_perms;

 # Following permissions are needed for apmanager.
 allow apmanager apmanager_exec:file execute_no_trans;
 allow apmanager dnsmasq_exec:file { read getattr open execute execute_no_trans };
 allow apmanager hostapd_exec:file { read getattr open execute execute_no_trans };
 allow apmanager self:capability { setuid fsetid kill net_admin net_bind_service net_raw setgid sys_module dac_override };
 allow apmanager self:netlink_route_socket { write getattr nlmsg_write read bind create nlmsg_read };
 allow apmanager self:netlink_socket { write getattr setopt read bind create };
 allow apmanager self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow apmanager self:packet_socket { write ioctl setopt read bind create };
 allowxperm apmanager self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
 allow apmanager apmanager_data_file:dir create_dir_perms;
 allow apmanager apmanager_data_file:file create_file_perms;
 allow apmanager apmanager_data_file:sock_file { create getattr unlink setattr write };

 allow apmanager proc_net:file r_file_perms;
 allow apmanager sysfs:file r_file_perms;
 allow apmanager sysfs:lnk_file read;
	# Domain for apmanager daemon.
	type apmanager, domain;
	type apmanager_exec, exec_type, file_type;
	type apmanager_data_file, file_type, data_file_type;

	brillo_domain(apmanager)
	net_domain(apmanager)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(apmanager)

	# Allow to pass file descriptors from apmanager over D-Bus.
	allow dbus_daemon apmanager:fd use;
	allow dbus_daemon apmanager_data_file:file r_file_perms;
	allow dbus_daemon apmanager:fifo_file r_file_perms;

	# Following permissions are needed for apmanager.
	allow apmanager apmanager_exec:file execute_no_trans;
	allow apmanager dnsmasq_exec:file { read getattr open execute execute_no_trans };
	allow apmanager hostapd_exec:file { read getattr open execute execute_no_trans };
	allow apmanager self:capability { setuid fsetid kill net_admin net_bind_service net_raw setgid sys_module dac_override };
	allow apmanager self:netlink_route_socket { write getattr nlmsg_write read bind create nlmsg_read };
	allow apmanager self:netlink_socket { write getattr setopt read bind create };
	allow apmanager self:netlink_generic_socket create_socket_perms_no_ioctl;
	allow apmanager self:packet_socket { write ioctl setopt read bind create };
	allowxperm apmanager self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
	allow apmanager apmanager_data_file:dir create_dir_perms;
	allow apmanager apmanager_data_file:file create_file_perms;
	allow apmanager apmanager_data_file:sock_file { create getattr unlink setattr write };

	allow apmanager proc_net:file r_file_perms;
	allow apmanager sysfs:file r_file_perms;
	allow apmanager sysfs:lnk_file read;