# Policy for /system/bin/netmgrd type netmgrd, domain; type netmgrd_exec, exec_type, file_type; init_daemon_domain(netmgrd) net_domain(netmgrd) # Grant access to Qualcomm MSM Interface (QMI) radio sockets qmux_socket(netmgrd) wakelock_use(netmgrd) # create socket in /dev/socket/netmgrd/ allow netmgrd netmgrd_socket:dir rw_dir_perms; allow netmgrd netmgrd_socket:sock_file create_file_perms; # communicate with netd unix_socket_connect(netmgrd, netd, netd) allow netmgrd proc_net:file rw_file_perms; allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; # read /data/misc/net allow netmgrd net_data_file:dir r_dir_perms; allow netmgrd net_data_file:file r_file_perms; # execute shell, ip, and toolbox allow netmgrd shell_exec:file rx_file_perms; allow netmgrd system_file:file rx_file_perms; allow netmgrd toolbox_exec:file rx_file_perms; # netmgrd sockets allow netmgrd self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; allow netmgrd self:netlink_socket create_socket_perms; allow netmgrd self:netlink_xfrm_socket { create_socket_perms nlmsg_read nlmsg_write }; allow netmgrd self:rawip_socket create_socket_perms; allow netmgrd self:socket create_socket_perms; # in addition to ioctl commands granted to domain allow netmgrd to use: allowxperm netmgrd self:udp_socket ioctl { priv_sock_ioctls SIOCKILLADDR }; allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; set_prop(netmgrd, net_radio_prop) # read files in /sys r_dir_file(netmgrd, sysfs_type) allow netmgrd sysfs_net:file write; userdebug_or_eng(` allow netmgrd diag_device:chr_file rw_file_perms; ')