Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e21496b1050e5acda12b9501cb963206790caada^! / . / private / ot_daemon.te
commite21496b1050e5acda12b9501cb963206790caada[log] [tgz]
authorKangping Dong <wgtdkp@google.com>Tue Jan 02 15:10:27 2024 +0800
committerKangping Dong <wgtdkp@google.com>Wed Jan 03 23:01:24 2024 +0800
tree51bf8a5d8272d0d2f41946880f1c9e0b7f49eb38
parent24d52ac42ae775ea98e276c73d8f84fc987ad968 [diff] [blame]
[Thread] move Thread settings data to APEX data dir

This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
   /data/misc/apexdata/com.android.tethering

The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.

Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)?  u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.

Bug: 309932508
Test: manually verified that Thread settings file can be written to
      /data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384

diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 457e1bf..495947f 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te

@@ -12,10 +12,14 @@
 # Allow the ot_daemon to use the net domain.
 net_domain(ot_daemon)
 
-# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
-allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
-allow ot_daemon threadnetwork_data_file:file create_file_perms;
-allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
+allow ot_daemon apex_module_data_file:dir search;
+
+# Allow the ot_daemon to access files and subdirectories under
+# /data/misc/apexdata/com\.android\.tethering
+allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
+allow ot_daemon apex_tethering_data_file:file create_file_perms;
+allow ot_daemon apex_tethering_data_file:sock_file {create unlink};
 
 # Allow OT daemon to read/write the Thread tunnel interface
 allow ot_daemon tun_device:chr_file {read write};