From f432d5d39ba808bd9fbd86d139c738ed4c5c4a30 Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Fri, 10 Feb 2017 13:20:41 -0800
Subject: [PATCH] Added some allows to netmgrd.te

Added allows to address the following denials. More to follow.

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27886]"
dev="sockfs" ino=27886 ioctlcmd=8946 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=1295 comm="ifconfig" path="socket:[27883]"
dev="sockfs" ino=27883 ioctlcmd=8914 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27292]"
dev="sockfs" ino=27292 ioctlcmd=89f8 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27290]"
dev="sockfs" ino=27290 ioctlcmd=89f2 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { ioctl } for pid=747 comm="netmgrd" path="socket:[27868]"
dev="sockfs" ino=27868 ioctlcmd=89fd scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=udp_socket

denied { getattr } for pid=1295 comm="ifconfig"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:netmgrd:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { execute_no_trans } for pid=1295 comm="netmgrd"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:netmgrd:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { read open } for pid=1295 comm="netmgrd"
path="/system/bin/toybox" dev="sda20" ino=509 scontext=u:r:netmgrd:s0
tcontext=u:object_r:toolbox_exec:s0 tclass=file

denied { execute } for pid=1295 comm="netmgrd" name="toybox" dev="sda20"
ino=509 scontext=u:r:netmgrd:s0 tcontext=u:object_r:toolbox_exec:s0
tclass=file

denied { read } for pid=1293 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

denied { write } for pid=747 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

denied { create } for pid=747 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

Bug: 34784662
Test: The above denials are no longer present during boot
Change-Id: I7b32552f96f2ee1cb79d8e4415823992d2d957da
---
 sepolicy/netmgrd.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 67c83d2..0066954 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -4,6 +4,11 @@ type netmgrd_exec, exec_type, file_type;
 net_domain(netmgrd)
 init_daemon_domain(netmgrd)
 
+allow netmgrd self:socket create_socket_perms_no_ioctl;
+allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
+
+allow netmgrd toolbox_exec:file rx_file_perms;
+
 userdebug_or_eng(`
 permissive netmgrd;
 ')