device_google_wahoo/sepolicy/netmgrd.te

type netmgrd, domain;
type netmgrd_exec, exec_type, file_type;

net_domain(netmgrd)
init_daemon_domain(netmgrd)

set_prop(netmgrd, net_radio_prop)

# communicate with netd
unix_socket_connect(netmgrd, netd, netd)

allow netmgrd netmgrd_socket:dir w_dir_perms;
allow netmgrd netmgrd_socket:sock_file { create setattr };
allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write };
allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow netmgrd self:netlink_route_socket nlmsg_write;
allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
allow netmgrd self:socket create_socket_perms;
allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;

allow netmgrd sysfs_net:dir r_dir_perms;
allow netmgrd sysfs_net:file rw_file_perms;
allow netmgrd sysfs_soc:dir search;
allow netmgrd sysfs_soc:file r_file_perms;
allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
allow netmgrd sysfs_msm_subsys:file r_file_perms;

allow netmgrd system_file:file lock;

r_dir_file(netmgrd, sysfs_msm_subsys)

wakelock_use(netmgrd)

allow netmgrd proc_net:file rw_file_perms;
# TODO(b/36663482): Remove coredata_in_vendor_violators once
# netmgrd no longer directly accesses /data outside
# /data/vendor.
typeattribute netmgrd coredata_in_vendor_violators;
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd net_data_file:file r_file_perms;
allow netmgrd netmgr_data_file:dir rw_dir_perms;
allow netmgrd netmgr_data_file:file create_file_perms;
allow netmgrd system_file:file execute_no_trans;

allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };

allow netmgrd toolbox_exec:file rx_file_perms;

userdebug_or_eng(`
permissive netmgrd;
')