add sepolicy rules for OT daemon binder service Bug: 262681784 Change-Id: I3b4d3603709a761ad1410b81c0e5b4e4fc51c43c

commit: 0b3e8c62eec55f93ba90dbc12067942c006f8c41 [log] [tgz]
author: Kangping Dong <wgtdkp@google.com> Fri Oct 28 15:56:02 2022 +0800
committer: Kangping Dong <wgtdkp@google.com> Thu Aug 03 13:31:53 2023 +0800
tree: 5b9f0ad0dd413979511ef717c679689c1af72382
parent: 8b295ddaf27057bccb92f6494c0baf51762ee9e3 [diff] [blame]
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index b22ff90..cdf5486 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te

@@ -17,4 +17,12 @@
 allow ot_daemon threadnetwork_data_file:file create_file_perms;
 allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
 
+# Allow OT daemon to read/write the Thread tunnel interface
+allow ot_daemon tun_device:chr_file {read write};
+
 hal_client_domain(ot_daemon, hal_threadnetwork)
+
+# Only ot_daemon can publish the binder service
+binder_use(ot_daemon)
+add_service(ot_daemon, ot_daemon_service)
+binder_call(ot_daemon, system_server)
commit	0b3e8c62eec55f93ba90dbc12067942c006f8c41	[log] [tgz]
author	Kangping Dong <wgtdkp@google.com>	Fri Oct 28 15:56:02 2022 +0800
committer	Kangping Dong <wgtdkp@google.com>	Thu Aug 03 13:31:53 2023 +0800
tree	5b9f0ad0dd413979511ef717c679689c1af72382
parent	8b295ddaf27057bccb92f6494c0baf51762ee9e3 [diff] [blame]