add sepolicy rules for Thread network
bug: 257371610
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0fd52fd521b8167b0ec8836dac3765a16fd6863b)
Merged-In: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f
Change-Id: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f
diff --git a/apex/Android.bp b/apex/Android.bp
index 2dcae6f..22de5d4 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -43,6 +43,13 @@
}
filegroup {
+ name: "com.android.threadnetwork-file_contexts",
+ srcs: [
+ "com.android.threadnetwork-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.sdkext-file_contexts",
srcs: [
"com.android.sdkext-file_contexts",
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
new file mode 100644
index 0000000..1aabee9
--- /dev/null
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -0,0 +1,4 @@
+(/.*)? u:object_r:system_file:s0
+/bin/otbr-agent u:object_r:ot_daemon_exec:s0
+/bin/ot-ctl u:object_r:ot_ctl_exec:s0
+/bin/ot-rcp u:object_r:ot_rcp_exec:s0
diff --git a/private/file.te b/private/file.te
index f6781b0..e48fc4c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -131,5 +131,8 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
+# /data/misc/threadnetwork
+type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
+
# /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index c9c51e4..123e4ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -655,6 +655,7 @@
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/threadnetwork(/.*)? u:object_r:threadnetwork_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..12e7ce2
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,11 @@
+#
+# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(ot_ctl)
+
+# Allow the ot_ctl to read/write the socket file.
+allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
new file mode 100644
index 0000000..98e1a0a
--- /dev/null
+++ b/private/ot_daemon.te
@@ -0,0 +1,24 @@
+#
+# ot_daemon is the native Thread network stack on the host (Android) side.
+# Refer to https://www.threadgroup.org for Thread network knowledge.
+#
+
+# ot_daemon
+type ot_daemon, domain, coredomain;
+type ot_daemon_exec, exec_type, file_type, system_file_type;
+
+# Allow init ot_daemon
+init_daemon_domain(ot_daemon)
+# Allow the ot_daemon to use the net domain.
+net_domain(ot_daemon)
+
+# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
+allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
+allow ot_daemon threadnetwork_data_file:file create_file_perms;
+allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+
+# used for simulation
+userdebug_or_eng(`
+create_pty(ot_daemon);
+domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
+')
diff --git a/private/ot_rcp.te b/private/ot_rcp.te
new file mode 100644
index 0000000..0f6f1d3
--- /dev/null
+++ b/private/ot_rcp.te
@@ -0,0 +1,15 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by ot_daemon.
+#
+
+type ot_rcp, domain, coredomain;
+type ot_rcp_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+allow ot_rcp ot_daemon:fd use;
+allow ot_rcp ot_daemon:fifo_file rw_file_perms;
+allow ot_rcp ot_daemon_devpts:chr_file {read write};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp port:udp_socket name_bind;
+allow ot_rcp node:udp_socket node_bind;
+')