type netmgrd, domain; type netmgrd_exec, exec_type, vendor_file_type, file_type; net_domain(netmgrd) init_daemon_domain(netmgrd) set_prop(netmgrd, vendor_net_radio_prop) set_prop(netmgrd, net_rmnet_prop) allow netmgrd netmgrd_socket:dir w_dir_perms; allow netmgrd netmgrd_socket:sock_file create_file_perms; allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write }; allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl; allow netmgrd self:netlink_route_socket nlmsg_write; allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; allow netmgrd self:socket create_socket_perms; allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; allow netmgrd sysfs_net:dir r_dir_perms; allow netmgrd sysfs_net:file rw_file_perms; allow netmgrd sysfs_soc:dir search; allow netmgrd sysfs_soc:file r_file_perms; allow netmgrd sysfs_msm_subsys:dir r_dir_perms; allow netmgrd sysfs_msm_subsys:file r_file_perms; r_dir_file(netmgrd, sysfs_msm_subsys) wakelock_use(netmgrd) #Allow netutils usage domain_auto_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) allow netmgrd netutils_wrapper:process sigkill; #Allow diag logging allow netmgrd sysfs_timestamp_switch:file { read open }; userdebug_or_eng(` r_dir_file(netmgrd, sysfs_diag) allow netmgrd diag_device:chr_file rw_file_perms; ') dontaudit netmgrd diag_device:chr_file rw_file_perms; #Ignore if device loading for private IOCTL failed dontaudit netmgrd kernel:system { module_request }; allow netmgrd proc_net_type:file rw_file_perms; allow netmgrd netmgr_data_file:dir rw_dir_perms; allow netmgrd netmgr_data_file:file create_file_perms; allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; allow netmgrd vendor_toolbox_exec:file rx_file_perms; # Allow netmgrd to use netd HAL allow netmgrd system_net_netd_hwservice:hwservice_manager find; get_prop(netmgrd, hwservicemanager_prop) binder_call(netmgrd, netd) hwbinder_use(netmgrd) dontaudit netmgrd kernel:system module_request; dontaudit netmgrd self:system module_request;