| # Wifi manager |
| type netmgr, domain; |
| type netmgr_exec, exec_type, vendor_file_type, file_type; |
| |
| init_daemon_domain(netmgr) |
| net_domain(netmgr) |
| |
| allow netmgr execns:fd use; |
| |
| # Set property to indicate bridging is complete |
| set_prop(netmgr, vendor_net); |
| # Set ctrl.restart property to restart hostapd when config changes |
| set_prop(netmgr, ctl_default_prop); |
| # Modify hostapd config file |
| allow netmgr hostapd_data_file:file create_file_perms; |
| allow netmgr hostapd_data_file:dir rw_dir_perms; |
| # Assign addresses to new interfaces as hostapd brings them up |
| allow netmgr self:capability { net_raw net_admin }; |
| allow netmgr self:socket { create }; |
| allow netmgr self:unix_dgram_socket ioctl; |
| allow netmgr self:packet_socket { ioctl getopt map }; |
| allow netmgr self:udp_socket { ioctl }; |
| allow netmgr proc_net:file { read getattr open }; |
| allowxperm netmgr self:unix_dgram_socket ioctl { SIOCETHTOOL }; |
| allowxperm netmgr self:udp_socket ioctl { SIOCSIFFLAGS |
| SIOCBRADDBR |
| SIOCBRADDIF |
| SIOCBRDELIF }; |
| allowxperm netmgr self:packet_socket ioctl { SIOCGIFINDEX SIOCGIFHWADDR }; |
| |
| # Allow netmgr to run ip and modify route table to block unblock traffic |
| allow netmgr goldfish_ip_exec:file execute_no_trans; |
| allow netmgr self:netlink_route_socket nlmsg_write; |
| # Packet socket for wifi forwarding |
| allow netmgr self:packet_socket { bind create read setopt write }; |
| allow netmgr kernel:system module_request; |
| allow netmgr self:capability sys_module; |