1is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 2 # vmnic is a helper service for network tasks, like creating TAP network interface. 3 # vmnic is separated from virtualizationservice as vmnic requires more permission to do network related tasks. 4 type vmnic, domain, coredomain; 5 type vmnic_exec, system_file_type, exec_type, file_type; 6 7 # When init runs a file labelled with vmnic_exec, run it in the vmnic domain. 8 init_daemon_domain(vmnic) 9 10 # Let the vmnic domain register the vmnic_service with ServiceManager. 11 add_service(vmnic, vmnic_service) 12 13 # Let the vmnic domain use Binder. 14 binder_use(vmnic) 15 16 # Allow for creating and deleting TAP network interfaces. 17 allow vmnic self:global_capability_class_set net_admin; 18 allow vmnic self:tun_socket create_socket_perms_no_ioctl; 19 allow vmnic tun_device:chr_file rw_file_perms; 20 allowxperm vmnic tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; 21 allow vmnic self:udp_socket create_socket_perms; 22 allowxperm vmnic self:udp_socket ioctl SIOCSIFFLAGS; 23 24 # Only virtualizationservice can communicate to vmnic 25 neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call; 26') # is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK) 27