basic/debug/plat_private/netdiag.te - LeafOS-Devices/android_device_mediatek_sepolicy_vndr - Gitiles

 # ==============================================
 # Common SEPolicy Rule
 # ==============================================

 type netdiag_exec, system_file_type, exec_type, file_type;
 typeattribute netdiag coredomain;
 typeattribute netdiag mlstrustedsubject;

 init_daemon_domain(netdiag)

 # Purpose : for access storage file
 allow netdiag sdcard_type:dir create_dir_perms;
 allow netdiag sdcard_type:file create_file_perms;
 allow netdiag domain:dir search;
 allow netdiag domain:file r_file_perms;
 allow netdiag net_data_file:file r_file_perms;
 allow netdiag net_data_file:dir search;
 allow netdiag storage_file:dir search;
 allow netdiag storage_file:lnk_file r_file_perms;
 allow netdiag mnt_user_file:dir search;
 allow netdiag mnt_user_file:lnk_file r_file_perms;
 allow netdiag platform_app:dir search;
 allow netdiag untrusted_app:dir search;
 allow netdiag mnt_media_rw_file:dir search;
 allow netdiag vfat:dir create_dir_perms;
 allow netdiag vfat:file create_file_perms;
 allow netdiag tmpfs:lnk_file r_file_perms;
 allow netdiag system_file:file rx_file_perms;

 # Purpose : for shell, set uid and gid
 allow netdiag self:capability { net_admin setuid net_raw setgid};
 allow netdiag shell_exec:file rx_file_perms;

 #access /proc/318/net/psched
 allow netdiag proc_net:file r_file_perms;

 # Purpose : for ping
 allow netdiag dnsproxyd_socket:sock_file w_file_perms;
 allow netdiag fwmarkd_socket:sock_file w_file_perms;
 allow netdiag netd:unix_stream_socket connectto;
 allow netdiag self:udp_socket create_socket_perms;

 # Purpose : for service permission
 allow netdiag connectivity_service:service_manager find;
 allow netdiag netstats_service:service_manager find;
 allow netdiag system_server:binder call;
 allow netdiag servicemanager:binder call;
 binder_use(netdiag)

 # Purpose : for dumpsys permission
 allow netdiag connmetrics_service:service_manager find;
 allow netdiag netpolicy_service:service_manager find;
 allow netdiag network_management_service:service_manager find;
 allow netdiag settings_service:service_manager find;

 # Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
 get_prop(netdiag, device_logging_prop)
 get_prop(netdiag, mmc_prop)
 allow netdiag proc_net:dir r_dir_perms;
 get_prop(netdiag, safemode_prop)
 allow netdiag toolbox_exec:file rx_file_perms;

 # purpose: allow netdiag to access storage in new version
 allow netdiag media_rw_data_file:file create_file_perms;
 allow netdiag media_rw_data_file:dir create_dir_perms;

 # Purpose : for ip spec output
 allow netdiag self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };

 # Purpose: for socket error of tcpdump
 allow netdiag self:packet_socket create_socket_perms;
 allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP};
 allow netdiag proc_net_tcp_udp:file r_file_perms;

 # Purpose: for ip
 allow netdiag self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };

 # Purpose: for iptables
 allow netdiag kernel:system module_request;
 allow netdiag self:rawip_socket create_socket_perms_no_ioctl;

 #Purpose : for network log property
 set_prop(netdiag, system_mtk_debug_netlog_prop)
 set_prop(netdiag, system_mtk_persist_mtklog_prop)
 set_prop(netdiag, system_mtk_debug_mtklog_prop)

 ## Android P migration
 allow netdiag proc_qtaguid_stat:dir r_dir_perms;
 allow netdiag proc_qtaguid_stat:file r_file_perms;
 allow netdiag netd:binder call;
 get_prop(netdiag, apexd_prop)

 # Q save log into /data/debuglogger
 allow netdiag debuglog_data_file:dir {relabelto create_dir_perms};
 allow netdiag debuglog_data_file:file create_file_perms;

 # add for dump network_stack
 allow netdiag network_stack:binder call;
 allow netdiag network_stack_service:service_manager find;

 # add for unlink file_tree.txt
 allow netdiag debuglog_data_file:lnk_file { getattr unlink };
	# ==============================================
	# Common SEPolicy Rule
	# ==============================================

	type netdiag_exec, system_file_type, exec_type, file_type;
	typeattribute netdiag coredomain;
	typeattribute netdiag mlstrustedsubject;

	init_daemon_domain(netdiag)

	# Purpose : for access storage file
	allow netdiag sdcard_type:dir create_dir_perms;
	allow netdiag sdcard_type:file create_file_perms;
	allow netdiag domain:dir search;
	allow netdiag domain:file r_file_perms;
	allow netdiag net_data_file:file r_file_perms;
	allow netdiag net_data_file:dir search;
	allow netdiag storage_file:dir search;
	allow netdiag storage_file:lnk_file r_file_perms;
	allow netdiag mnt_user_file:dir search;
	allow netdiag mnt_user_file:lnk_file r_file_perms;
	allow netdiag platform_app:dir search;
	allow netdiag untrusted_app:dir search;
	allow netdiag mnt_media_rw_file:dir search;
	allow netdiag vfat:dir create_dir_perms;
	allow netdiag vfat:file create_file_perms;
	allow netdiag tmpfs:lnk_file r_file_perms;
	allow netdiag system_file:file rx_file_perms;

	# Purpose : for shell, set uid and gid
	allow netdiag self:capability { net_admin setuid net_raw setgid};
	allow netdiag shell_exec:file rx_file_perms;

	#access /proc/318/net/psched
	allow netdiag proc_net:file r_file_perms;

	# Purpose : for ping
	allow netdiag dnsproxyd_socket:sock_file w_file_perms;
	allow netdiag fwmarkd_socket:sock_file w_file_perms;
	allow netdiag netd:unix_stream_socket connectto;
	allow netdiag self:udp_socket create_socket_perms;

	# Purpose : for service permission
	allow netdiag connectivity_service:service_manager find;
	allow netdiag netstats_service:service_manager find;
	allow netdiag system_server:binder call;
	allow netdiag servicemanager:binder call;
	binder_use(netdiag)

	# Purpose : for dumpsys permission
	allow netdiag connmetrics_service:service_manager find;
	allow netdiag netpolicy_service:service_manager find;
	allow netdiag network_management_service:service_manager find;
	allow netdiag settings_service:service_manager find;

	# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
	get_prop(netdiag, device_logging_prop)
	get_prop(netdiag, mmc_prop)
	allow netdiag proc_net:dir r_dir_perms;
	get_prop(netdiag, safemode_prop)
	allow netdiag toolbox_exec:file rx_file_perms;

	# purpose: allow netdiag to access storage in new version
	allow netdiag media_rw_data_file:file create_file_perms;
	allow netdiag media_rw_data_file:dir create_dir_perms;

	# Purpose : for ip spec output
	allow netdiag self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };

	# Purpose: for socket error of tcpdump
	allow netdiag self:packet_socket create_socket_perms;
	allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP};
	allow netdiag proc_net_tcp_udp:file r_file_perms;

	# Purpose: for ip
	allow netdiag self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };

	# Purpose: for iptables
	allow netdiag kernel:system module_request;
	allow netdiag self:rawip_socket create_socket_perms_no_ioctl;

	#Purpose : for network log property
	set_prop(netdiag, system_mtk_debug_netlog_prop)
	set_prop(netdiag, system_mtk_persist_mtklog_prop)
	set_prop(netdiag, system_mtk_debug_mtklog_prop)

	## Android P migration
	allow netdiag proc_qtaguid_stat:dir r_dir_perms;
	allow netdiag proc_qtaguid_stat:file r_file_perms;
	allow netdiag netd:binder call;
	get_prop(netdiag, apexd_prop)

	# Q save log into /data/debuglogger
	allow netdiag debuglog_data_file:dir {relabelto create_dir_perms};
	allow netdiag debuglog_data_file:file create_file_perms;

	# add for dump network_stack
	allow netdiag network_stack:binder call;
	allow netdiag network_stack_service:service_manager find;

	# add for unlink file_tree.txt
	allow netdiag debuglog_data_file:lnk_file { getattr unlink };