add sepolicy rules for OT daemon binder service

Bug: 262681784
Change-Id: I3b4d3603709a761ad1410b81c0e5b4e4fc51c43c

build/soong/service_fuzzer_bindings.go

@@ -341,6 +341,7 @@ var (
 		"oem_lock":                     EXCEPTION_NO_FUZZER,
 		"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
 		"otadexopt":                    EXCEPTION_NO_FUZZER,
+		"ot_daemon":                    []string{"ot_daemon_service_fuzzer"},
 		"overlay":                      EXCEPTION_NO_FUZZER,
 		"pac_proxy":                    EXCEPTION_NO_FUZZER,
 		"package":                      EXCEPTION_NO_FUZZER,

private/compat/34.0/34.0.ignore.cil

@@ -9,4 +9,5 @@
     snapuserd_log_data_file
     hal_threadnetwork_service
     virtual_camera_service
+    ot_daemon_service
   ))

private/ot_daemon.te

@@ -17,4 +17,12 @@ allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
 allow ot_daemon threadnetwork_data_file:file create_file_perms;
 allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
 
+# Allow OT daemon to read/write the Thread tunnel interface
+allow ot_daemon tun_device:chr_file {read write};
+
 hal_client_domain(ot_daemon, hal_threadnetwork)
+
+# Only ot_daemon can publish the binder service
+binder_use(ot_daemon)
+add_service(ot_daemon, ot_daemon_service)
+binder_call(ot_daemon, system_server)

private/service_contexts

@@ -317,6 +317,7 @@ notification                              u:object_r:notification_service:s0
 oem_lock                                  u:object_r:oem_lock_service:s0
 ondevicepersonalization_system_service    u:object_r:ondevicepersonalization_system_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
+ot_daemon                                 u:object_r:ot_daemon_service:s0
 overlay                                   u:object_r:overlay_service:s0
 pac_proxy                                 u:object_r:pac_proxy_service:s0
 package                                   u:object_r:package_service:s0

private/system_server.te

@@ -296,6 +296,7 @@ binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
+binder_call(system_server, ot_daemon)
 userdebug_or_eng(`binder_call(system_server, profcollectd)')
 binder_call(system_server, statsd)
 binder_call(system_server, storaged)
@@ -954,6 +955,7 @@ allow system_server mediadrmserver_service:service_manager find;
 allow system_server mediatuner_service:service_manager find;
 allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
+allow system_server ot_daemon_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server stats_service:service_manager find;
 allow system_server storaged_service:service_manager find;

public/service.te

@@ -37,6 +37,7 @@ type mediatranscoding_service,  app_api_service, service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
+type ot_daemon_service,         service_manager_type;
 type radio_service,             service_manager_type;
 type secure_element_service,    service_manager_type;
 type service_manager_service,   service_manager_type;