Address new netmgrd data connectivity denials.

Patch fixes the following denials seen when trying
to use data service on the phone.

denied  { create } for  pid=5042 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket
denied  { bind } for  pid=5042 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket
denied  { write } for  pid=5042 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket
denied  { read } for  pid=5042 comm="netmgrd" path="socket:[17231]" dev="sockfs" ino=17231 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket

denied  { write } for  pid=541 comm="netmgrd" name="property_service" dev="tmpfs" ino=6583 scontext=u:r:netmgrd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
denied  { set } for property=net.rmnet_usb0.dns1 scontext=u:r:netmgrd:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service

denied  { nlmsg_read } for  pid=6365 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_route_socket
denied  { nlmsg_write } for  pid=6365 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_route_socket

Change-Id: Iee4bb5b4f3c9d17419ebf69f2764151ec7979249

1 files changed, 6 insertions, 1 deletions

diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index dc63a8a..52bbc70 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -13,7 +13,12 @@ dontaudit netmgrd self:capability sys_module;
 
 allow netmgrd self:udp_socket { create ioctl };
 allow netmgrd self:netlink_socket create_socket_perms;
-allow netmgrd self:netlink_route_socket create_socket_perms;
+allow netmgrd self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow netmgrd self:packet_socket create_socket_perms;
+
+# set net.rmnet* properties.
+unix_socket_connect(netmgrd, property, init)
+allow netmgrd system_prop:property_service set;
 
 # Talk to qmuxd (qmux_radio)
 qmux_socket(netmgrd)