platform_system_sepolicy/private/ot_daemon.te

#
# ot_daemon is the native Thread network stack on the host (Android) side.
# Refer to https://www.threadgroup.org for Thread network knowledge.
#

# ot_daemon
type ot_daemon, domain, coredomain;
type ot_daemon_exec, exec_type, file_type, system_file_type;

# Allow init ot_daemon
init_daemon_domain(ot_daemon)
# Allow the ot_daemon to use the net domain.
net_domain(ot_daemon)

# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
allow ot_daemon threadnetwork_data_file:file create_file_perms;
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};

# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};

# Allow OT daemon to read/write on the socket created by System Server
allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;

hal_client_domain(ot_daemon, hal_threadnetwork)

# Only ot_daemon can publish the binder service
binder_use(ot_daemon)
add_service(ot_daemon, ot_daemon_service)
binder_call(ot_daemon, system_server)

# Allow OT daemon to write to statsd
unix_socket_send(ot_daemon, statsdw, statsd)
add sepolicy rules for Thread network bug: 257371610 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0fd52fd521b8167b0ec8836dac3765a16fd6863b) Merged-In: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f Change-Id: I2c90639f4baecb010230b3aa60f2f09c0ddd9e4f 2023-06-02 05:36:01 +02:00			`#`
			`# ot_daemon is the native Thread network stack on the host (Android) side.`
			`# Refer to https://www.threadgroup.org for Thread network knowledge.`
			`#`

			`# ot_daemon`
			`type ot_daemon, domain, coredomain;`
			`type ot_daemon_exec, exec_type, file_type, system_file_type;`

			`# Allow init ot_daemon`
			`init_daemon_domain(ot_daemon)`
			`# Allow the ot_daemon to use the net domain.`
			`net_domain(ot_daemon)`

			`# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".`
			`allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;`
			`allow ot_daemon threadnetwork_data_file:file create_file_perms;`
			`allow ot_daemon threadnetwork_data_file:sock_file {create unlink};`

add sepolicy rules for OT daemon binder service Bug: 262681784 Change-Id: I3b4d3603709a761ad1410b81c0e5b4e4fc51c43c 2022-10-28 09:56:02 +02:00			`# Allow OT daemon to read/write the Thread tunnel interface`
			`allow ot_daemon tun_device:chr_file {read write};`

allow ot_daemon to read/write sockets shared by system_server system_server creates an ICMPv6 socket and send it to ot_daemon via ParcelFileDescriptor. ot_daemon will use that socket to send/receive ICMPv6 messages. Here's how the socket is created in System Server: int sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); Bug: 294486086 Security consultation bug: 296809188 Test: Verified on a cuttlefish Change-Id: I9d479c9da01187a0e476591f447f7199ecb3a409 2023-08-23 09:40:49 +02:00			`# Allow OT daemon to read/write on the socket created by System Server`
			`allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;`

Add sepolicy rules for Thread Network HAL Bug: b/283905423 Test: Build and run the Thread Network stack in Cuttlefish. Change-Id: I783022c66b80274069f8f3c292d84918f41f8221 2023-06-14 07:26:15 +02:00			`hal_client_domain(ot_daemon, hal_threadnetwork)`
add sepolicy rules for OT daemon binder service Bug: 262681784 Change-Id: I3b4d3603709a761ad1410b81c0e5b4e4fc51c43c 2022-10-28 09:56:02 +02:00
			`# Only ot_daemon can publish the binder service`
			`binder_use(ot_daemon)`
			`add_service(ot_daemon, ot_daemon_service)`
			`binder_call(ot_daemon, system_server)`
Add sepolicy to allow OT daemon to write to statsd Bug: 230565248 Test: push data to statsd_testdrive and it works now Change-Id: I48c3affdd1fbd62df5b8eaff9908c5f3bbeda4d8 2023-10-26 07:43:59 +02:00
			`# Allow OT daemon to write to statsd`
			`unix_socket_send(ot_daemon, statsdw, statsd)`