platform_system_sepolicy/vendor/hal_can_socketcan.te

type hal_can_socketcan, domain;
hal_server_domain(hal_can_socketcan, hal_can_controller)
hal_server_domain(hal_can_socketcan, hal_can_bus)

type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_can_socketcan)

# Managing SocketCAN interfaces
allow hal_can_socketcan self:capability net_admin;
allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };

# See man page for netdevice(7) for more info on ioctls
allow hal_can_socketcan self:udp_socket { create ioctl };
allowxperm hal_can_socketcan self:udp_socket ioctl {
    SIOCGIFINDEX
    SIOCGIFFLAGS
    SIOCSIFFLAGS
};

# Communicating with SocketCAN interfaces and bringing them up/down
allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };
allowxperm hal_can_socketcan self:can_socket ioctl {
    SIOCGIFFLAGS
    SIOCSIFFLAGS
};

# Un-publishing ICanBus interfaces
allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;

allow hal_can_socketcan sysfs:dir r_dir_perms;

allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
    TCGETS
    TCSETSW
    TIOCGSERIAL
    TIOCSSERIAL
    TIOCSETD
    SIOCGIFNAME
};
SEPolicy rules for CAN bus HAL Bug: 135918744 Test: VTS (separate new change) Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9 2019-07-24 02:38:51 +02:00			`type hal_can_socketcan, domain;`
			`hal_server_domain(hal_can_socketcan, hal_can_controller)`
			`hal_server_domain(hal_can_socketcan, hal_can_bus)`

			`type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;`
			`init_daemon_domain(hal_can_socketcan)`

			`# Managing SocketCAN interfaces`
			`allow hal_can_socketcan self:capability net_admin;`
			`allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };`

Add permissions to allow iface up/down I need SIOCGIFFLAGS and SIOCSIFFLAGS in order to bring up/down interfaces with AIDL CAN HAL. Bug: 260592449 Test: CAN HAL can bring up interfaces Change-Id: I67edaa857cffdf3c3fc9f3b17aad5879e09c6385 2022-12-09 20:35:48 +01:00			`# See man page for netdevice(7) for more info on ioctls`
SEPolicy rules for CAN bus HAL Bug: 135918744 Test: VTS (separate new change) Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9 2019-07-24 02:38:51 +02:00			`allow hal_can_socketcan self:udp_socket { create ioctl };`
			`allowxperm hal_can_socketcan self:udp_socket ioctl {`
			`SIOCGIFINDEX`
Add permissions to allow iface up/down I need SIOCGIFFLAGS and SIOCSIFFLAGS in order to bring up/down interfaces with AIDL CAN HAL. Bug: 260592449 Test: CAN HAL can bring up interfaces Change-Id: I67edaa857cffdf3c3fc9f3b17aad5879e09c6385 2022-12-09 20:35:48 +01:00			`SIOCGIFFLAGS`
			`SIOCSIFFLAGS`
SEPolicy rules for CAN bus HAL Bug: 135918744 Test: VTS (separate new change) Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9 2019-07-24 02:38:51 +02:00			`};`

			`# Communicating with SocketCAN interfaces and bringing them up/down`
Modify SEPolicy to support SLCAN SLCAN setup requires certain ioctls and read/write operations to certain tty's. This change allows the HAL to set up SLCAN devices while complying with SEPolicy. In addition to adding support for SLCAN, I've also included permissions for using setsockopt. In order for the CAN HAL receive error frames from the CAN bus controller, we need to first set the error mask and filter via setsockopt. Test: manual Bug: 144458917 Bug: 144513919 Change-Id: I63a48ad6677a22f05d50d665a81868011c027898 2019-11-14 18:32:32 +01:00			`allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };`
SEPolicy rules for CAN bus HAL Bug: 135918744 Test: VTS (separate new change) Change-Id: Idd3ca882e3bd36b95a5412bdfbf6fe9d6e911ba9 2019-07-24 02:38:51 +02:00			`allowxperm hal_can_socketcan self:can_socket ioctl {`
			`SIOCGIFFLAGS`
			`SIOCSIFFLAGS`
			`};`

			`# Un-publishing ICanBus interfaces`
			`allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;`
Modify SEPolicy to support SLCAN SLCAN setup requires certain ioctls and read/write operations to certain tty's. This change allows the HAL to set up SLCAN devices while complying with SEPolicy. In addition to adding support for SLCAN, I've also included permissions for using setsockopt. In order for the CAN HAL receive error frames from the CAN bus controller, we need to first set the error mask and filter via setsockopt. Test: manual Bug: 144458917 Bug: 144513919 Change-Id: I63a48ad6677a22f05d50d665a81868011c027898 2019-11-14 18:32:32 +01:00
Enable CAN HAL to scan /sys/devices for USB CAN CAN HAL needs access to /sys/devices to search for USB serial numbers for SocketCAN devices and for USB serial devices. Bug: 142654031 Test: Manual + VTS Change-Id: I3d9bff94f8d8f936f7d859c01b9ff920fcbc5130 2020-03-11 20:51:22 +01:00			`allow hal_can_socketcan sysfs:dir r_dir_perms;`

Modify SEPolicy to support SLCAN SLCAN setup requires certain ioctls and read/write operations to certain tty's. This change allows the HAL to set up SLCAN devices while complying with SEPolicy. In addition to adding support for SLCAN, I've also included permissions for using setsockopt. In order for the CAN HAL receive error frames from the CAN bus controller, we need to first set the error mask and filter via setsockopt. Test: manual Bug: 144458917 Bug: 144513919 Change-Id: I63a48ad6677a22f05d50d665a81868011c027898 2019-11-14 18:32:32 +01:00			`allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };`
			`allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {`
			`TCGETS`
			`TCSETSW`
			`TIOCGSERIAL`
			`TIOCSSERIAL`
			`TIOCSETD`
			`SIOCGIFNAME`
			`};`