private/netutils_wrapper.te - platform/system/sepolicy - Git at Google

 typeattribute netutils_wrapper coredomain;

 r_dir_file(netutils_wrapper, system_file);

 # For netutils (ip, iptables, tc)
 allow netutils_wrapper self:global_capability_class_set net_raw;

 allow netutils_wrapper system_file:file { execute execute_no_trans };
 allow netutils_wrapper proc_net_type:file { open read getattr };
 allow netutils_wrapper self:rawip_socket create_socket_perms;
 allow netutils_wrapper self:udp_socket create_socket_perms;
 allow netutils_wrapper self:global_capability_class_set net_admin;
 # ip utils need everything but ioctl
 allow netutils_wrapper self:netlink_route_socket ~ioctl;
 allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;

 # For netutils (ndc) to be able to talk to netd
 allow netutils_wrapper netd_service:service_manager find;
 allow netutils_wrapper dnsresolver_service:service_manager find;
 binder_use(netutils_wrapper);
 binder_call(netutils_wrapper, netd);

 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned
 # program when reloading the rule.
 allow netutils_wrapper fs_bpf:dir search;
 allow netutils_wrapper fs_bpf:file { read write };
 allow netutils_wrapper bpfloader:bpf prog_run;

 # For /data/misc/net access to ndc and ip
 r_dir_file(netutils_wrapper, net_data_file)

 domain_auto_trans({
     domain
     -coredomain
     -appdomain
 }, netutils_wrapper_exec, netutils_wrapper)

 # suppress spurious denials
 dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
 dontaudit netutils_wrapper sysfs_type:file read;

 # netutils wrapper may only use the following capabilities.
 neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
	typeattribute netutils_wrapper coredomain;

	r_dir_file(netutils_wrapper, system_file);

	# For netutils (ip, iptables, tc)
	allow netutils_wrapper self:global_capability_class_set net_raw;

	allow netutils_wrapper system_file:file { execute execute_no_trans };
	allow netutils_wrapper proc_net_type:file { open read getattr };
	allow netutils_wrapper self:rawip_socket create_socket_perms;
	allow netutils_wrapper self:udp_socket create_socket_perms;
	allow netutils_wrapper self:global_capability_class_set net_admin;
	# ip utils need everything but ioctl
	allow netutils_wrapper self:netlink_route_socket ~ioctl;
	allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;

	# For netutils (ndc) to be able to talk to netd
	allow netutils_wrapper netd_service:service_manager find;
	allow netutils_wrapper dnsresolver_service:service_manager find;
	binder_use(netutils_wrapper);
	binder_call(netutils_wrapper, netd);

	# For vendor code that update the iptables rules at runtime. They need to reload
	# the whole chain including the xt_bpf rules. They need to access to the pinned
	# program when reloading the rule.
	allow netutils_wrapper fs_bpf:dir search;
	allow netutils_wrapper fs_bpf:file { read write };
	allow netutils_wrapper bpfloader:bpf prog_run;

	# For /data/misc/net access to ndc and ip
	r_dir_file(netutils_wrapper, net_data_file)

	domain_auto_trans({
	domain
	-coredomain
	-appdomain
	}, netutils_wrapper_exec, netutils_wrapper)

	# suppress spurious denials
	dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
	dontaudit netutils_wrapper sysfs_type:file read;

	# netutils wrapper may only use the following capabilities.
	neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };