[Thread] limit ot-daemon socket to ot-ctl It's better to explicitly disallow access to ot-daemon from other than ot-ctl. Bug: 323502847 Change-Id: Ic46ad4e8f3a1d21bbfc9f4f01e6a692aafcdb815

commit: 90495cc79fcbf471e6129eb0e674f4ef926d4e50 [log] [tgz]
author: Kangping Dong <wgtdkp@google.com> Thu Feb 29 23:43:34 2024 +0800
committer: Kangping Dong <wgtdkp@google.com> Thu Feb 29 23:43:34 2024 +0800
tree: 9e8b1692f207007c98339ced76b86a00c95e3895
parent: 7fdf451d8d2fd97d187ce65ca8540ec44f749fd5 [diff] [blame]
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 341fa9c..2fc74b5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te

@@ -39,3 +39,12 @@
 # For collecting bugreports.
 allow ot_daemon dumpstate:fd use;
 allow ot_daemon dumpstate:fifo_file write;
+
+# ot-daemon socket is for only ot-daemon and ot-ctl
+neverallow {
+  domain
+  -ot_daemon
+  userdebug_or_eng(`-ot_ctl')
+  -init
+  -vendor_init
+} ot_daemon_socket:sock_file *;
commit	90495cc79fcbf471e6129eb0e674f4ef926d4e50	[log] [tgz]
author	Kangping Dong <wgtdkp@google.com>	Thu Feb 29 23:43:34 2024 +0800
committer	Kangping Dong <wgtdkp@google.com>	Thu Feb 29 23:43:34 2024 +0800
tree	9e8b1692f207007c98339ced76b86a00c95e3895
parent	7fdf451d8d2fd97d187ce65ca8540ec44f749fd5 [diff] [blame]