commit 07429e39ee8c97cb0d95f31c7f8aa0ed843cfd64
author Yakun Xu <xyk@google.com> Fri Jun 02 03:36:01 2023 +0000
committer Kangping Dong <wgtdkp@google.com> Wed Jun 07 07:04:19 2023 +0000
tree 69c2f20826b80ee4e3bc84b33df1d100a422de2b
parent abbd8aeefd7f1891dc1442d9c51dc481d99d9d16

add sepolicy rules for Thread network

bug: 257371610
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0fd52fd521b8167b0ec8836dac3765a16fd6863b)
Merged-In: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f
Change-Id: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f

private/ot_daemon.te

diff --git a/private/ot_daemon.te b/private/ot_daemon.te
new file mode 100644
index 0000000..98e1a0a
--- /dev/null
+++ b/private/ot_daemon.te
@@ -0,0 +1,24 @@
+#
+# ot_daemon is the native Thread network stack on the host (Android) side.
+# Refer to https://www.threadgroup.org for Thread network knowledge.
+#
+
+# ot_daemon
+type ot_daemon, domain, coredomain;
+type ot_daemon_exec, exec_type, file_type, system_file_type;
+
+# Allow init ot_daemon
+init_daemon_domain(ot_daemon)
+# Allow the ot_daemon to use the net domain.
+net_domain(ot_daemon)
+
+# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
+allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
+allow ot_daemon threadnetwork_data_file:file create_file_perms;
+allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+
+# used for simulation
+userdebug_or_eng(`
+create_pty(ot_daemon);
+domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
+')