sepolicy changes for network stack app
The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.
Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597
diff --git a/private/network_stack.te b/private/network_stack.te
new file mode 100644
index 0000000..d250ebd
--- /dev/null
+++ b/private/network_stack.te
@@ -0,0 +1,25 @@
+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);