Merge "add sepolicy rules for OT daemon binder service" into main am: 9d965761ca

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2648124

Change-Id: I21567f881a585d96a3605f6f1e2d6380daf9bd73
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Kangping Dong 2023-08-03 14:59:26 +00:00 committed by Automerger Merge Worker
commit 0fb33095a4
6 changed files with 14 additions and 0 deletions

View file

@ -343,6 +343,7 @@ var (
"oem_lock": EXCEPTION_NO_FUZZER,
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
"ot_daemon": []string{"ot_daemon_service_fuzzer"},
"overlay": EXCEPTION_NO_FUZZER,
"pac_proxy": EXCEPTION_NO_FUZZER,
"package": EXCEPTION_NO_FUZZER,

View file

@ -9,4 +9,5 @@
snapuserd_log_data_file
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
))

View file

@ -17,4 +17,12 @@ allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
allow ot_daemon threadnetwork_data_file:file create_file_perms;
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};
hal_client_domain(ot_daemon, hal_threadnetwork)
# Only ot_daemon can publish the binder service
binder_use(ot_daemon)
add_service(ot_daemon, ot_daemon_service)
binder_call(ot_daemon, system_server)

View file

@ -318,6 +318,7 @@ notification u:object_r:notification_service:s0
oem_lock u:object_r:oem_lock_service:s0
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
otadexopt u:object_r:otadexopt_service:s0
ot_daemon u:object_r:ot_daemon_service:s0
overlay u:object_r:overlay_service:s0
pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0

View file

@ -296,6 +296,7 @@ binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@ -954,6 +955,7 @@ allow system_server mediadrmserver_service:service_manager find;
allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server ot_daemon_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;

View file

@ -37,6 +37,7 @@ type mediatranscoding_service, app_api_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
type ot_daemon_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;