xref: /aosp_15_r20/system/sepolicy/private/vmnic.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
2*e4a36f41SAndroid Build Coastguard Worker    # vmnic is a helper service for network tasks, like creating TAP network interface.
3*e4a36f41SAndroid Build Coastguard Worker    # vmnic is separated from virtualizationservice as vmnic requires more permission to do network related tasks.
4*e4a36f41SAndroid Build Coastguard Worker    type vmnic, domain, coredomain;
5*e4a36f41SAndroid Build Coastguard Worker    type vmnic_exec, system_file_type, exec_type, file_type;
6*e4a36f41SAndroid Build Coastguard Worker
7*e4a36f41SAndroid Build Coastguard Worker    # When init runs a file labelled with vmnic_exec, run it in the vmnic domain.
8*e4a36f41SAndroid Build Coastguard Worker    init_daemon_domain(vmnic)
9*e4a36f41SAndroid Build Coastguard Worker
10*e4a36f41SAndroid Build Coastguard Worker    # Let the vmnic domain register the vmnic_service with ServiceManager.
11*e4a36f41SAndroid Build Coastguard Worker    add_service(vmnic, vmnic_service)
12*e4a36f41SAndroid Build Coastguard Worker
13*e4a36f41SAndroid Build Coastguard Worker    # Let the vmnic domain use Binder.
14*e4a36f41SAndroid Build Coastguard Worker    binder_use(vmnic)
15*e4a36f41SAndroid Build Coastguard Worker
16*e4a36f41SAndroid Build Coastguard Worker    # Allow for creating and deleting TAP network interfaces.
17*e4a36f41SAndroid Build Coastguard Worker    allow vmnic self:global_capability_class_set net_admin;
18*e4a36f41SAndroid Build Coastguard Worker    allow vmnic self:tun_socket create_socket_perms_no_ioctl;
19*e4a36f41SAndroid Build Coastguard Worker    allow vmnic tun_device:chr_file rw_file_perms;
20*e4a36f41SAndroid Build Coastguard Worker    allowxperm vmnic tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
21*e4a36f41SAndroid Build Coastguard Worker    allow vmnic self:udp_socket create_socket_perms;
22*e4a36f41SAndroid Build Coastguard Worker    allowxperm vmnic self:udp_socket ioctl SIOCSIFFLAGS;
23*e4a36f41SAndroid Build Coastguard Worker
24*e4a36f41SAndroid Build Coastguard Worker    # Only virtualizationservice can communicate to vmnic
25*e4a36f41SAndroid Build Coastguard Worker    neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call;
26*e4a36f41SAndroid Build Coastguard Worker') # is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK)
27