Add sepolicy rules for cne and netmgr daemons

type=1400 audit(0.0:92): avc: denied { write } for name="cnd" dev="tmpfs" ino=10477 scontext=u:r:system_app:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file permissive=1
type=1400 audit(1421897629.744:92): avc: denied { write } for pid=1443 comm="CNEReceiver" name="cnd" dev="tmpfs" ino=10477 scontext=u:r:system_app:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file permissive=1
type=1400 audit(1421899275.556:4): avc: denied { setuid } for pid=380 comm="cnd" capability=7 scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability permissive=1
type=1400 audit(1421899275.556:5): avc: denied { setgid } for pid=380 comm="cnd" capability=6 scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability permissive=1
type=1400 audit(1421899313.314:158): avc: denied { net_raw } for pid=380 comm="cnd" capability=13 scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability permissive=1
type=1400 audit(1421900557.215:101): avc: denied { write } for pid=1488 comm="CNEReceiver" name="cnd" dev="tmpfs" ino=9790 scontext=u:r:system_app:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file permissive=1
type=1400 audit(1421900557.215:102): avc: denied { connectto } for pid=1488 comm="CNEReceiver" path="/dev/socket/cnd" scontext=u:r:system_app:s0 tcontext=u:r:cnd:s0 tclass=unix_stream_socket permissive=1

type=1400 audit(1421897628.604:91): avc: denied { write } for pid=1120 comm="netmgrd" name="cnd" dev="tmpfs" ino=10477 scontext=u:r:netmgrd:s0 tcontext=u:object_r:cnd_socket:s0 tclass=sock_file permissive=1
type=1400 audit(1421899287.166:142): avc: denied { connectto } for pid=1387 comm="netmgrd" path="/dev/socket/cnd" scontext=u:r:netmgrd:s0 tcontext=u:r:cnd:s0 tclass=unix_stream_socket permissive=1
type=1400 audit(1421897649.566:95): avc: denied { read } for pid=2479 comm="ip" name="rt_tables" dev="dm-0" ino=1126114 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file permissive=1
type=1400 audit(1421897649.566:96): avc: denied { open } for pid=2479 comm="ip" path="/data/misc/net/rt_tables" dev="dm-0" ino=1126114 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file permissive=1
type=1400 audit(1421897649.566:97): avc: denied { getattr } for pid=2479 comm="ip" path="/data/misc/net/rt_tables" dev="dm-0" ino=1126114 scontext=u:r:netmgrd:s0 tcontext=u:object_r:net_data_file:s0 tclass=file permissive=1
avc:  denied  { set } for property=net.r_rmnet_data0.dns1 scontext=u:r:netmgrd:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
type=1400 audit(1421897727.456:102): avc: denied { nlmsg_write } for pid=2670 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket permissive=1
type=1400 audit(1421897749.966:106): avc: denied { nlmsg_read } for pid=2841 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_xfrm_socket permissive=1

Change-Id: I03ef32f0aec23eaab011309983a0fad551a65a1a
diff --git a/BoardConfig.mk b/BoardConfig.mk
index b62a927..38793b8 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -121,6 +121,7 @@
         bootanim.te \
         bridge.te \
         camera.te \
+        cnd.te \
         device.te \
         domain.te \
         file.te \
diff --git a/init.shamu.rc b/init.shamu.rc
index f2a060b..27c0262 100644
--- a/init.shamu.rc
+++ b/init.shamu.rc
@@ -605,3 +605,7 @@
     class late_start
     user system
     group system radio
+
+service cnd /system/bin/cnd
+    class late_start
+    socket cnd stream 660 root inet
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
new file mode 100644
index 0000000..ed498f9
--- /dev/null
+++ b/sepolicy/cnd.te
@@ -0,0 +1,13 @@
+#permissive cnd;
+type cnd, domain;
+type cnd_exec, exec_type, file_type;
+
+# cnd is started by init, type transit from init domain to cnd domain
+init_daemon_domain(cnd)
+# associate netdomain as an attribute of cnd domain
+net_domain(cnd)
+
+allow cnd self:capability { net_raw setuid setgid };
+
+allow cnd netmgrd:dir search;
+allow cnd netmgrd:file r_file_perms;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 197e9b5..38ccfe0 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -2,6 +2,8 @@
 type firmware_file, fs_type, contextmount_type;
 type fsg_file, fs_type, contextmount_type;
 
+type cnd_socket, file_type;
+
 type adspd_socket, file_type;
 type camera_socket, file_type;
 type mpdecision_socket, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 97f4244..aa1195f 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -157,3 +157,6 @@
 
 /system/bin/imsdatadaemon                       u:object_r:ims_exec:s0
 /system/bin/imsqmidaemon                        u:object_r:ims_exec:s0
+
+/dev/socket/cnd  u:object_r:cnd_socket:s0
+/system/bin/cnd  u:object_r:cnd_exec:s0
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index d7ff8d1..09c5c32 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -25,12 +25,17 @@
 # Runs /system/bin/toolbox
 allow netmgrd system_file:file rx_file_perms;
 
+#Allow operations on different types of sockets
 allow netmgrd self:netlink_socket create_socket_perms;
+allow netmgrd self:rawip_socket create_socket_perms;
 allow netmgrd self:netlink_route_socket nlmsg_write;
-allow netmgrd self:netlink_xfrm_socket create_socket_perms;
+allow netmgrd self:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read };
 
 # b/17065650
-allow netmgrd self:socket {create ioctl read};
+allow netmgrd self:socket create_socket_perms;
+
+#Allow communication with cnd
+unix_socket_connect(netmgrd, cnd, cnd)
 
 # CONFIG_MODULES not set in shamu_defconfig
 dontaudit netmgrd self:capability sys_module;
@@ -39,9 +44,12 @@
 unix_socket_connect(netmgrd, property, init)
 allow netmgrd net_radio_prop:property_service set;
 
+#Set netmgrd properties
+allow netmgrd qcom_netmgrd_prop:property_service set;
+
 # Permission to run netd commands
 allow netmgrd netd_socket:sock_file write;
 
 #Allow access to files associated with netd
+allow netmgrd net_data_file:file r_file_perms;
 allow netmgrd net_data_file:dir r_dir_perms;
-
diff --git a/sepolicy/property.te b/sepolicy/property.te
index 201d6b7..07b30c7 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -1 +1,2 @@
  type qcom_ims_prop, property_type;
+ type qcom_netmgrd_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index 74da243..d7d0d0f 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1 +1,2 @@
 sys.ims.        u:object_r:qcom_ims_prop:s0
+net.r_rmnet     u:object_r:qcom_netmgrd_prop:s0
diff --git a/sepolicy/service.te b/sepolicy/service.te
index 612d43d..a454fb7 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -1 +1,2 @@
 type atfwd_service,             service_manager_type;
+type cne_service,               service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 2c7dfc7..28b6ce1 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -1,2 +1,3 @@
 rcs                                       u:object_r:radio_service:s0
 AtCmdFwd                                  u:object_r:atfwd_service:s0
+cneservice                                u:object_r:cne_service:s0
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 64304d0..5816c96 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -4,3 +4,7 @@
 allow system_app time:unix_stream_socket connectto;
 
 allow system_app atfwd_service:service_manager add;
+
+allow system_app cne_service:service_manager add;
+
+unix_socket_connect(system_app, cnd, cnd)