Android_Device_Mediatek_Sep.../basic/debug/plat_private/netdiag.te

# ==============================================
# Common SEPolicy Rule
# ==============================================

type netdiag_exec, system_file_type, exec_type, file_type;
typeattribute netdiag coredomain;
typeattribute netdiag mlstrustedsubject;

init_daemon_domain(netdiag)

# Purpose : for access storage file
allow netdiag sdcard_type:dir create_dir_perms;
allow netdiag sdcard_type:file create_file_perms;
allow netdiag domain:dir search;
allow netdiag domain:file r_file_perms;
allow netdiag net_data_file:file r_file_perms;
allow netdiag net_data_file:dir search;
allow netdiag storage_file:dir search;
allow netdiag storage_file:lnk_file r_file_perms;
allow netdiag mnt_user_file:dir search;
allow netdiag mnt_user_file:lnk_file r_file_perms;
allow netdiag platform_app:dir search;
allow netdiag untrusted_app:dir search;
allow netdiag mnt_media_rw_file:dir search;
allow netdiag vfat:dir create_dir_perms;
allow netdiag vfat:file create_file_perms;
allow netdiag tmpfs:lnk_file r_file_perms;
allow netdiag system_file:file rx_file_perms;

# Purpose : for shell, set uid and gid
allow netdiag self:capability { net_admin setuid net_raw setgid};
allow netdiag shell_exec:file rx_file_perms;

#access /proc/318/net/psched
allow netdiag proc_net:file r_file_perms;

# Purpose : for ping
allow netdiag dnsproxyd_socket:sock_file w_file_perms;
allow netdiag fwmarkd_socket:sock_file w_file_perms;
allow netdiag netd:unix_stream_socket connectto;
allow netdiag self:udp_socket create_socket_perms;

# Purpose : for service permission
allow netdiag connectivity_service:service_manager find;
allow netdiag netstats_service:service_manager find;
allow netdiag system_server:binder call;
allow netdiag servicemanager:binder call;
binder_use(netdiag)

# Purpose : for dumpsys permission
allow netdiag connmetrics_service:service_manager find;
allow netdiag netpolicy_service:service_manager find;
allow netdiag network_management_service:service_manager find;
allow netdiag settings_service:service_manager find;

# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
get_prop(netdiag, device_logging_prop)
get_prop(netdiag, mmc_prop)
allow netdiag proc_net:dir r_dir_perms;
get_prop(netdiag, safemode_prop)
allow netdiag toolbox_exec:file rx_file_perms;

# purpose: allow netdiag to access storage in new version
allow netdiag media_rw_data_file:file create_file_perms;
allow netdiag media_rw_data_file:dir create_dir_perms;

# Purpose : for ip spec output
allow netdiag self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };

# Purpose: for socket error of tcpdump
allow netdiag self:packet_socket create_socket_perms;
allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP};
allow netdiag proc_net_tcp_udp:file r_file_perms;

# Purpose: for ip
allow netdiag self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };

# Purpose: for iptables
allow netdiag kernel:system module_request;
allow netdiag self:rawip_socket create_socket_perms_no_ioctl;

#Purpose : for network log property
set_prop(netdiag, system_mtk_debug_netlog_prop)
set_prop(netdiag, system_mtk_persist_mtklog_prop)
set_prop(netdiag, system_mtk_debug_mtklog_prop)

## Android P migration
allow netdiag proc_qtaguid_stat:dir r_dir_perms;
allow netdiag proc_qtaguid_stat:file r_file_perms;
allow netdiag netd:binder call;
get_prop(netdiag, apexd_prop)

# Q save log into /data/debuglogger
allow netdiag debuglog_data_file:dir {relabelto create_dir_perms};
allow netdiag debuglog_data_file:file create_file_perms;

# add for dump network_stack
allow netdiag network_stack:binder call;
allow netdiag network_stack_service:service_manager find;

# add for unlink file_tree.txt
allow netdiag debuglog_data_file:lnk_file { getattr unlink };
mtk-sepolicy: Initial SEPolicy rules 2022-08-14 15:07:12 +02:00			`# ==============================================`
			`# Common SEPolicy Rule`
			`# ==============================================`

			`type netdiag_exec, system_file_type, exec_type, file_type;`
			`typeattribute netdiag coredomain;`
			`typeattribute netdiag mlstrustedsubject;`

			`init_daemon_domain(netdiag)`

			`# Purpose : for access storage file`
			`allow netdiag sdcard_type:dir create_dir_perms;`
			`allow netdiag sdcard_type:file create_file_perms;`
			`allow netdiag domain:dir search;`
			`allow netdiag domain:file r_file_perms;`
			`allow netdiag net_data_file:file r_file_perms;`
			`allow netdiag net_data_file:dir search;`
			`allow netdiag storage_file:dir search;`
			`allow netdiag storage_file:lnk_file r_file_perms;`
			`allow netdiag mnt_user_file:dir search;`
			`allow netdiag mnt_user_file:lnk_file r_file_perms;`
			`allow netdiag platform_app:dir search;`
			`allow netdiag untrusted_app:dir search;`
			`allow netdiag mnt_media_rw_file:dir search;`
			`allow netdiag vfat:dir create_dir_perms;`
			`allow netdiag vfat:file create_file_perms;`
			`allow netdiag tmpfs:lnk_file r_file_perms;`
			`allow netdiag system_file:file rx_file_perms;`

			`# Purpose : for shell, set uid and gid`
			`allow netdiag self:capability { net_admin setuid net_raw setgid};`
			`allow netdiag shell_exec:file rx_file_perms;`

			`#access /proc/318/net/psched`
			`allow netdiag proc_net:file r_file_perms;`

			`# Purpose : for ping`
			`allow netdiag dnsproxyd_socket:sock_file w_file_perms;`
			`allow netdiag fwmarkd_socket:sock_file w_file_perms;`
			`allow netdiag netd:unix_stream_socket connectto;`
			`allow netdiag self:udp_socket create_socket_perms;`

			`# Purpose : for service permission`
			`allow netdiag connectivity_service:service_manager find;`
			`allow netdiag netstats_service:service_manager find;`
			`allow netdiag system_server:binder call;`
			`allow netdiag servicemanager:binder call;`
			`binder_use(netdiag)`

			`# Purpose : for dumpsys permission`
			`allow netdiag connmetrics_service:service_manager find;`
			`allow netdiag netpolicy_service:service_manager find;`
			`allow netdiag network_management_service:service_manager find;`
			`allow netdiag settings_service:service_manager find;`

			`# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop`
			`get_prop(netdiag, device_logging_prop)`
			`get_prop(netdiag, mmc_prop)`
			`allow netdiag proc_net:dir r_dir_perms;`
			`get_prop(netdiag, safemode_prop)`
			`allow netdiag toolbox_exec:file rx_file_perms;`

			`# purpose: allow netdiag to access storage in new version`
			`allow netdiag media_rw_data_file:file create_file_perms;`
			`allow netdiag media_rw_data_file:dir create_dir_perms;`

			`# Purpose : for ip spec output`
			`allow netdiag self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };`

			`# Purpose: for socket error of tcpdump`
			`allow netdiag self:packet_socket create_socket_perms;`
			`allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP};`
			`allow netdiag proc_net_tcp_udp:file r_file_perms;`

			`# Purpose: for ip`
			`allow netdiag self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };`

			`# Purpose: for iptables`
			`allow netdiag kernel:system module_request;`
			`allow netdiag self:rawip_socket create_socket_perms_no_ioctl;`

			`#Purpose : for network log property`
			`set_prop(netdiag, system_mtk_debug_netlog_prop)`
			`set_prop(netdiag, system_mtk_persist_mtklog_prop)`
			`set_prop(netdiag, system_mtk_debug_mtklog_prop)`

			`## Android P migration`
			`allow netdiag proc_qtaguid_stat:dir r_dir_perms;`
			`allow netdiag proc_qtaguid_stat:file r_file_perms;`
			`allow netdiag netd:binder call;`
			`get_prop(netdiag, apexd_prop)`

			`# Q save log into /data/debuglogger`
			`allow netdiag debuglog_data_file:dir {relabelto create_dir_perms};`
			`allow netdiag debuglog_data_file:file create_file_perms;`

			`# add for dump network_stack`
			`allow netdiag network_stack:binder call;`
			`allow netdiag network_stack_service:service_manager find;`

			`# add for unlink file_tree.txt`
			`allow netdiag debuglog_data_file:lnk_file { getattr unlink };`