Add sepolicy rules for Thread Network HAL
Bug: b/283905423
Test: Build and run the Thread Network stack in Cuttlefish.
Change-Id: I783022c66b80274069f8f3c292d84918f41f8221
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
index 1aabee9..45d9bff 100644
--- a/apex/com.android.threadnetwork-file_contexts
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -1,4 +1,3 @@
(/.*)? u:object_r:system_file:s0
/bin/otbr-agent u:object_r:ot_daemon_exec:s0
/bin/ot-ctl u:object_r:ot_ctl_exec:s0
-/bin/ot-rcp u:object_r:ot_rcp_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 4147bd1..b73db7e 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -119,6 +119,7 @@
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
"android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
"android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.threadnetwork.IThreadChip/chip0": []string{"android.hardware.threadnetwork-service.fuzzer"},
"android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 0ea3863..aae1ac1 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -7,4 +7,5 @@
( new_objects
ota_build_prop
snapuserd_log_data_file
+ hal_threadnetwork_service
))
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 98e1a0a..b22ff90 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -17,8 +17,4 @@
allow ot_daemon threadnetwork_data_file:file create_file_perms;
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
-# used for simulation
-userdebug_or_eng(`
-create_pty(ot_daemon);
-domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
-')
+hal_client_domain(ot_daemon, hal_threadnetwork)
diff --git a/private/ot_rcp.te b/private/ot_rcp.te
deleted file mode 100644
index 0f6f1d3..0000000
--- a/private/ot_rcp.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# ot_rcp is the simulated Thread Radio Coprocessor device which is used by ot_daemon.
-#
-
-type ot_rcp, domain, coredomain;
-type ot_rcp_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
-allow ot_rcp ot_daemon:fd use;
-allow ot_rcp ot_daemon:fifo_file rw_file_perms;
-allow ot_rcp ot_daemon_devpts:chr_file {read write};
-allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
-allow ot_rcp port:udp_socket name_bind;
-allow ot_rcp node:udp_socket node_bind;
-')
diff --git a/private/service_contexts b/private/service_contexts
index 6d48a74..a731dfd 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -94,6 +94,7 @@
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tetheroffload.IOffload/default u:object_r:hal_tetheroffload_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
+android.hardware.threadnetwork.IThreadChip/chip0 u:object_r:hal_threadnetwork_service:s0
android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index d30f657..006caf7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -333,6 +333,7 @@
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_threadnetwork)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_hdmi_cec)
hal_client_domain(system_server, hal_tv_hdmi_connection)
diff --git a/public/attributes b/public/attributes
index 16a8e66..cb46856 100644
--- a/public/attributes
+++ b/public/attributes
@@ -378,6 +378,7 @@
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
+hal_attribute(threadnetwork);
hal_attribute(tv_cec);
hal_attribute(tv_hdmi_cec);
hal_attribute(tv_hdmi_connection);
diff --git a/public/hal_threadnetwork.te b/public/hal_threadnetwork.te
new file mode 100644
index 0000000..1f0745b
--- /dev/null
+++ b/public/hal_threadnetwork.te
@@ -0,0 +1,7 @@
+binder_call(hal_threadnetwork_client, hal_threadnetwork_server)
+binder_call(hal_threadnetwork_server, hal_threadnetwork_client)
+
+hal_attribute_service(hal_threadnetwork, hal_threadnetwork_service)
+
+binder_call(hal_threadnetwork_server, servicemanager)
+binder_call(hal_threadnetwork_client, servicemanager)
diff --git a/public/service.te b/public/service.te
index 27403ca..fc966b1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -320,6 +320,7 @@
type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
+type hal_threadnetwork_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a2e460d..80dfbdc 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -101,6 +101,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.threadnetwork-service(\.sim)? u:object_r:hal_threadnetwork_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service u:object_r:hal_tv_hdmi_connection_default_exec:s0
@@ -124,6 +125,7 @@
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+/(vendor|system/vendor)/bin/ot-rcp u:object_r:ot_rcp_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
diff --git a/vendor/hal_threadnetwork_default.te b/vendor/hal_threadnetwork_default.te
new file mode 100644
index 0000000..3a24269
--- /dev/null
+++ b/vendor/hal_threadnetwork_default.te
@@ -0,0 +1,5 @@
+type hal_threadnetwork_default, domain;
+hal_server_domain(hal_threadnetwork_default, hal_threadnetwork)
+
+type hal_threadnetwork_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_threadnetwork_default)
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
new file mode 100644
index 0000000..0da517a
--- /dev/null
+++ b/vendor/ot_rcp.te
@@ -0,0 +1,17 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by
+# Thread Network HAL for simulating the Thread radio chip.
+#
+type ot_rcp, domain;
+type ot_rcp_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+domain_auto_trans(hal_threadnetwork_default, ot_rcp_exec, ot_rcp)
+allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
+allow ot_rcp hal_threadnetwork_default:fd use;
+allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
+allow ot_rcp devpts:chr_file {read write};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp node:udp_socket node_bind;
+allow ot_rcp port:udp_socket name_bind;
+')