vendor/qcom/common/netmgrd.te - device/google/redbull-sepolicy - Git at Google

 type netmgrd, domain;
 type netmgrd_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(netmgrd)
 net_domain(netmgrd)

 userdebug_or_eng(`
   allow netmgrd diag_device:chr_file rw_file_perms;
   #Allow diag logging
   allow netmgrd sysfs_timestamp_switch:file r_file_perms;
   r_dir_file(netmgrd, sysfs_diag)
 ')

 #Allow netmgrd operations
 allow netmgrd netmgrd:capability {
     net_raw
     net_admin
     setgid
     setuid
     setpcap
 };

 #Allow set persist.vendor.data.shs_ko_load
 #Allow set persist.vendor.data.shsusr_load
 #Allow set persist.vendor.data.perf_ko_load
 #Allow set persist.vendor.data.qmipriod_load
 #Allow set persist.vendor.data.offload_ko_load
 set_prop(netmgrd, vendor_radio_prop);

 #Allow netmgrd to use wakelock
 wakelock_use(netmgrd)

 r_dir_file(netmgrd, sysfs_ssr);

 #Allow operations on different types of sockets
 allow netmgrd self:netlink_route_socket nlmsg_write;
 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
 allow netmgrd self:netlink_xfrm_socket create_socket_perms_no_ioctl;
 allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netmgrd self:qipcrtr_socket create_socket_perms_no_ioctl;

 #Allow writing of ipv6 network properties
 allow netmgrd proc_net:file rw_file_perms;

 #Allow netmgrd to create netmgrd socket
 allow netmgrd netmgrd_socket:dir create_dir_perms;
 allow netmgrd netmgrd_socket:sock_file create_file_perms;

 allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
 #Allow netmgrd to use netd HAL via HIDL
 allow netmgrd system_net_netd_hwservice:hwservice_manager find;
 get_prop(netmgrd, hwservicemanager_prop)
 hwbinder_use(netmgrd)
 binder_call(netmgrd, netd)

 allow netmgrd sysfs_net:dir r_dir_perms;
 allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_soc:dir search;
 allow netmgrd sysfs_soc:file r_file_perms;
 allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
 allow netmgrd sysfs_msm_subsys:file r_file_perms;

 # Allow netmgrd logging mechanism
 allow netmgrd netmgrd_data_file:dir rw_dir_perms;
 allow netmgrd netmgrd_data_file:file create_file_perms;

 #Ignore if device loading for private IOCTL failed
 dontaudit netmgrd kernel:system module_request;
	type netmgrd, domain;
	type netmgrd_exec, exec_type, vendor_file_type, file_type;
	init_daemon_domain(netmgrd)
	net_domain(netmgrd)

	userdebug_or_eng(`
	allow netmgrd diag_device:chr_file rw_file_perms;
	#Allow diag logging
	allow netmgrd sysfs_timestamp_switch:file r_file_perms;
	r_dir_file(netmgrd, sysfs_diag)
	')

	#Allow netmgrd operations
	allow netmgrd netmgrd:capability {
	net_raw
	net_admin
	setgid
	setuid
	setpcap
	};

	#Allow set persist.vendor.data.shs_ko_load
	#Allow set persist.vendor.data.shsusr_load
	#Allow set persist.vendor.data.perf_ko_load
	#Allow set persist.vendor.data.qmipriod_load
	#Allow set persist.vendor.data.offload_ko_load
	set_prop(netmgrd, vendor_radio_prop);

	#Allow netmgrd to use wakelock
	wakelock_use(netmgrd)

	r_dir_file(netmgrd, sysfs_ssr);

	#Allow operations on different types of sockets
	allow netmgrd self:netlink_route_socket nlmsg_write;
	allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
	allow netmgrd self:netlink_xfrm_socket create_socket_perms_no_ioctl;
	allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
	allow netmgrd self:qipcrtr_socket create_socket_perms_no_ioctl;

	#Allow writing of ipv6 network properties
	allow netmgrd proc_net:file rw_file_perms;

	#Allow netmgrd to create netmgrd socket
	allow netmgrd netmgrd_socket:dir create_dir_perms;
	allow netmgrd netmgrd_socket:sock_file create_file_perms;

	allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
	#Allow netmgrd to use netd HAL via HIDL
	allow netmgrd system_net_netd_hwservice:hwservice_manager find;
	get_prop(netmgrd, hwservicemanager_prop)
	hwbinder_use(netmgrd)
	binder_call(netmgrd, netd)

	allow netmgrd sysfs_net:dir r_dir_perms;
	allow netmgrd sysfs_net:file rw_file_perms;
	allow netmgrd sysfs_soc:dir search;
	allow netmgrd sysfs_soc:file r_file_perms;
	allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
	allow netmgrd sysfs_msm_subsys:file r_file_perms;

	# Allow netmgrd logging mechanism
	allow netmgrd netmgrd_data_file:dir rw_dir_perms;
	allow netmgrd netmgrd_data_file:file create_file_perms;

	#Ignore if device loading for private IOCTL failed
	dontaudit netmgrd kernel:system module_request;