typeattribute netutils_wrapper coredomain; typeattribute netutils_wrapper bpfdomain; r_dir_file(netutils_wrapper, system_file); # For netutils (ip, iptables, tc) allow netutils_wrapper self:global_capability_class_set net_raw; allow netutils_wrapper system_file:file { execute execute_no_trans }; allow netutils_wrapper proc_net_type:file { open read getattr }; allow netutils_wrapper self:rawip_socket create_socket_perms; allow netutils_wrapper self:udp_socket create_socket_perms; allow netutils_wrapper self:global_capability_class_set net_admin; # ip utils need everything but ioctl allow netutils_wrapper self:netlink_route_socket ~ioctl; allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; # For netutils (ndc) to be able to talk to netd allow netutils_wrapper netd_service:service_manager find; allow netutils_wrapper dnsresolver_service:service_manager find; allow netutils_wrapper mdns_service:service_manager find; binder_use(netutils_wrapper); binder_call(netutils_wrapper, netd); # For vendor code that update the iptables rules at runtime. They need to reload # the whole chain including the xt_bpf rules. They need to access to the pinned # program when reloading the rule. allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search; allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read }; allow netutils_wrapper { fs_bpf }:file write; allow netutils_wrapper bpfloader:bpf prog_run; # For /data/misc/net access to ndc and ip r_dir_file(netutils_wrapper, net_data_file) domain_auto_trans({ domain -coredomain -appdomain }, netutils_wrapper_exec, netutils_wrapper) # suppress spurious denials dontaudit netutils_wrapper self:global_capability_class_set sys_resource; dontaudit netutils_wrapper sysfs_type:file read; # netutils wrapper may only use the following capabilities. neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };