| Yakun Xu | 07429e3 | 2023-06-02 03:36:01 +0000 | [diff] [blame] | 1 | # |
| 2 | # ot_daemon is the native Thread network stack on the host (Android) side. |
| 3 | # Refer to https://www.threadgroup.org for Thread network knowledge. |
| 4 | # |
| 5 | |
| 6 | # ot_daemon |
| 7 | type ot_daemon, domain, coredomain; |
| 8 | type ot_daemon_exec, exec_type, file_type, system_file_type; |
| 9 | |
| 10 | # Allow init ot_daemon |
| 11 | init_daemon_domain(ot_daemon) |
| 12 | # Allow the ot_daemon to use the net domain. |
| 13 | net_domain(ot_daemon) |
| 14 | |
| Kangping Dong | e21496b | 2024-01-02 15:10:27 +0800 | [diff] [blame] | 15 | # Allow ot_daemon to find /data/misc/apexdata/com.android.tethering |
| 16 | allow ot_daemon apex_module_data_file:dir search; |
| 17 | |
| 18 | # Allow the ot_daemon to access files and subdirectories under |
| 19 | # /data/misc/apexdata/com\.android\.tethering |
| 20 | allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms}; |
| 21 | allow ot_daemon apex_tethering_data_file:file create_file_perms; |
| Yakun Xu | 07429e3 | 2023-06-02 03:36:01 +0000 | [diff] [blame] | 22 | |
| Kangping Dong | 0b3e8c6 | 2022-10-28 15:56:02 +0800 | [diff] [blame] | 23 | # Allow OT daemon to read/write the Thread tunnel interface |
| 24 | allow ot_daemon tun_device:chr_file {read write}; |
| 25 | |
| Handa Wang | 8612e80 | 2023-08-23 15:40:49 +0800 | [diff] [blame] | 26 | # Allow OT daemon to read/write on the socket created by System Server |
| 27 | allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl; |
| 28 | |
| Kangping Dong | 47425ae | 2024-11-20 15:49:39 +0800 | [diff] [blame^] | 29 | # Allow OT daemon to read/write on the UDP sockets created by system server |
| 30 | allow ot_daemon system_server:udp_socket rw_socket_perms; |
| 31 | |
| Zhanglong Xia | b2d1fbb | 2023-06-14 05:26:15 +0000 | [diff] [blame] | 32 | hal_client_domain(ot_daemon, hal_threadnetwork) |
| Kangping Dong | 0b3e8c6 | 2022-10-28 15:56:02 +0800 | [diff] [blame] | 33 | |
| 34 | # Only ot_daemon can publish the binder service |
| 35 | binder_use(ot_daemon) |
| 36 | add_service(ot_daemon, ot_daemon_service) |
| 37 | binder_call(ot_daemon, system_server) |
| Tony Zhou | 4ed6a0d | 2023-10-26 13:43:59 +0800 | [diff] [blame] | 38 | |
| 39 | # Allow OT daemon to write to statsd |
| 40 | unix_socket_send(ot_daemon, statsdw, statsd) |
| Kangping Dong | e1ee768 | 2023-12-01 13:02:38 +0800 | [diff] [blame] | 41 | |
| 42 | # For collecting bugreports. |
| 43 | allow ot_daemon dumpstate:fd use; |
| 44 | allow ot_daemon dumpstate:fifo_file write; |
| Kangping Dong | 90495cc | 2024-02-29 23:43:34 +0800 | [diff] [blame] | 45 | |
| 46 | # ot-daemon socket is for only ot-daemon and ot-ctl |
| 47 | neverallow { |
| 48 | domain |
| 49 | -ot_daemon |
| 50 | userdebug_or_eng(`-ot_ctl') |
| 51 | -init |
| 52 | -vendor_init |
| 53 | } ot_daemon_socket:sock_file *; |