128 lines
4.4 KiB
Text
128 lines
4.4 KiB
Text
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following
|
|
# disclaimer in the documentation and/or other materials provided
|
|
# with the distribution.
|
|
# * Neither the name of The Linux Foundation nor the names of its
|
|
# contributors may be used to endorse or promote products derived
|
|
# from this software without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
|
|
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
|
|
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
type cnd, domain, mlstrustedsubject;
|
|
type cnd_exec, exec_type, vendor_file_type, file_type;
|
|
file_type_auto_trans(cnd, socket_device, cnd_socket);
|
|
|
|
# cnd is started by init, type transit from init domain to cnd domain
|
|
init_daemon_domain(cnd)
|
|
|
|
# associate netdomain as an attribute of cnd domain
|
|
net_domain(cnd)
|
|
|
|
allow cnd smem_log_device:chr_file rw_file_perms;
|
|
|
|
# allow cnd the following capability
|
|
allow cnd self:capability {
|
|
net_admin
|
|
sys_module
|
|
net_bind_service
|
|
};
|
|
|
|
allow cnd self:capability2 block_suspend;
|
|
|
|
# socket used to communicate with kernel via the netlink syscall
|
|
allow cnd self:{
|
|
netlink_tcpdiag_socket
|
|
netlink_route_socket
|
|
netlink_socket
|
|
netlink_generic_socket
|
|
# allow cnd to perform socket operation on itself
|
|
socket
|
|
qipcrtr_socket
|
|
} create_socket_perms_no_ioctl;
|
|
|
|
# allow cnd to read tcp diagnostics through netlink
|
|
allow cnd self:netlink_tcpdiag_socket nlmsg_read;
|
|
|
|
# allow cnd to set cnd property
|
|
set_prop(cnd, cnd_vendor_prop)
|
|
|
|
# allow cnd to access cnd_data_file
|
|
allow cnd cnd_data_file:file create_file_perms;
|
|
allow cnd cnd_data_file:sock_file { unlink create setattr };
|
|
allow cnd cnd_data_file:dir rw_dir_perms;
|
|
|
|
# allow cnd to access qmux_radio_socket
|
|
qmux_socket(cnd)
|
|
|
|
# allow cnd to access wpa_socket
|
|
unix_socket_send(cnd, wpa, hal_wifi_supplicant)
|
|
allow cnd wifi_vendor_data_file:dir r_dir_perms;
|
|
allow cnd wifi_vendor_wpa_socket:sock_file write;
|
|
allow cnd wpa_data_file:dir w_dir_perms;
|
|
allow cnd wpa_data_file:sock_file create_file_perms;
|
|
|
|
# allow cnd to obtain wakelock
|
|
wakelock_use(cnd)
|
|
|
|
# allow access to nims
|
|
allow cnd socket_device:dir remove_name;
|
|
|
|
# explicitly allow udp socket permissions for appdomain
|
|
#allow cnd appdomain:udp_socket rw_socket_perms;
|
|
|
|
#allow cnd daemon to invoke hostapd_cli
|
|
allow cnd vendor_shell_exec:file rx_file_perms;
|
|
domain_auto_trans(cnd, hostapd_exec, hostapd)
|
|
allow cnd hostapd_socket:dir r_dir_perms;
|
|
unix_socket_send(cnd, hostapd, hostapd)
|
|
|
|
# only allow getopt for appdomain
|
|
allow appdomain zygote:unix_dgram_socket getopt;
|
|
dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt;
|
|
|
|
#diag
|
|
userdebug_or_eng(`
|
|
diag_use(cnd)
|
|
')
|
|
|
|
allow cnd proc_meminfo:file r_file_perms;
|
|
allow cnd self:socket ioctl;
|
|
allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;
|
|
|
|
allow cnd self:udp_socket ioctl;
|
|
allowxperm cnd self:udp_socket ioctl wlan_sock_ioctls;
|
|
|
|
allow cnd sysfs_data:file r_file_perms;
|
|
|
|
add_hwservice(cnd, hal_latency_hwservice)
|
|
add_hwservice(cnd, hal_datafactory_hwservice)
|
|
hwbinder_use(cnd)
|
|
get_prop(cnd, hwservicemanager_prop)
|
|
binder_call(cnd, dataservice_app)
|
|
binder_call(cnd, ims)
|
|
binder_call(cnd, location)
|
|
|
|
##############################################################
|
|
#for using public interface vendor.qti.data.factory
|
|
#client should add their domain to cnd.te
|
|
##############################################################
|
|
userdebug_or_eng(`
|
|
binder_call(cnd, radio)
|
|
')
|