# Policy for /system/bin/netmgrd
type netmgrd, domain;
type netmgrd_exec, exec_type, file_type;

init_daemon_domain(netmgrd)
net_domain(netmgrd)

# Grant access to Qualcomm MSM Interface (QMI) radio sockets
qmux_socket(netmgrd)

wakelock_use(netmgrd)

# create socket in /dev/socket/netmgrd/
allow netmgrd netmgrd_socket:dir rw_dir_perms;
allow netmgrd netmgrd_socket:sock_file create_file_perms;

# communicate with netd
unix_socket_connect(netmgrd, netd, netd)

allow netmgrd proc_net:file rw_file_perms;

allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };

# read /data/misc/net
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd net_data_file:file r_file_perms;

# execute shell, ip, and toolbox
allow netmgrd shell_exec:file rx_file_perms;
allow netmgrd system_file:file rx_file_perms;
allow netmgrd toolbox_exec:file rx_file_perms;

# netmgrd sockets
allow netmgrd self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow netmgrd self:netlink_socket create_socket_perms;
allow netmgrd self:netlink_xfrm_socket { create_socket_perms nlmsg_read nlmsg_write };
allow netmgrd self:rawip_socket create_socket_perms;
allow netmgrd self:socket create_socket_perms;
# in addition to ioctl commands granted to domain allow netmgrd to use:
allowxperm netmgrd self:udp_socket ioctl { priv_sock_ioctls SIOCKILLADDR };
allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;

set_prop(netmgrd, net_radio_prop)

# read files in /sys
r_dir_file(netmgrd, sysfs_type)
allow netmgrd sysfs_net:file write;

userdebug_or_eng(`
  allow netmgrd diag_device:chr_file rw_file_perms;
')