[Thread] limit ot-daemon socket to ot-ctl
It's better to explicitly disallow access to ot-daemon from other than
ot-ctl.
Bug: 323502847
Change-Id: Ic46ad4e8f3a1d21bbfc9f4f01e6a692aafcdb815
diff --git a/private/file_contexts b/private/file_contexts
index b9d661a..caf0725 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -288,6 +288,7 @@
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/ot-ctl u:object_r:ot_ctl_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..7325ce5
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,12 @@
+#
+# ot-ctl is a command line tool for controlling ot-daemon
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, file_type, system_file_type;
+
+# ot-ctl is available in only userdebug or eng build
+userdebug_or_eng(`
+ # ot-ctl connects to ot-daemon via the socket
+ allow ot_ctl ot_daemon_socket:sock_file rw_file_perms;
+')
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 341fa9c..2fc74b5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -39,3 +39,12 @@
# For collecting bugreports.
allow ot_daemon dumpstate:fd use;
allow ot_daemon dumpstate:fifo_file write;
+
+# ot-daemon socket is for only ot-daemon and ot-ctl
+neverallow {
+ domain
+ -ot_daemon
+ userdebug_or_eng(`-ot_ctl')
+ -init
+ -vendor_init
+} ot_daemon_socket:sock_file *;