DO NOT MERGE Fake 29.0 sepolicy prebuilts
I took current AOSP policy as base, then removed sepolicy so that the
set of type and attributes was a subset of types and attributes in Q
sepolicy, with exception of those that have not yet been cleand up in
current AOSP:
mediaswcodec_server
netd_socket
mediaextractor_update_service
thermalserviced
thermalserviced_exec
Bug: 133196056
Test: n/a
Change-Id: I2cbe749777684146114c89e1e6fc3f07400c0ae5
diff --git a/prebuilts/api/29.0/public/wpantund.te b/prebuilts/api/29.0/public/wpantund.te
new file mode 100644
index 0000000..8ddd693
--- /dev/null
+++ b/prebuilts/api/29.0/public/wpantund.te
@@ -0,0 +1,29 @@
+type wpantund, domain;
+type wpantund_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(wpantund, hal_lowpan)
+net_domain(wpantund)
+
+binder_use(wpantund)
+binder_call(wpantund, system_server)
+
+# wpantund needs to be able to check in with the lowpan_service
+allow wpantund lowpan_service:service_manager find;
+
+# Allow wpantund to call any callbacks that have been registered with it.
+# Generally, only privileged apps are able to register callbacks with
+# wpantund, so we are limiting the scope for callbacks to only privileged
+# apps. We also add shell to allow the command-line utility `lowpanctl`
+# to work properly from `adb shell`.
+allow wpantund {priv_app shell}:binder call;
+
+# create sockets to set interfaces up and down, add multicast groups, etc.
+allow wpantund self:udp_socket create_socket_perms;
+
+# setting interface state up/down and changing MTU are privileged ioctls
+allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+# Allow us to bring up a TUN network interface.
+allow wpantund tun_device:chr_file rw_file_perms;
+allow wpantund self:global_capability_class_set { net_admin net_raw };
+allow wpantund self:tun_socket create;