Merge "add sepolicy rules for OT daemon binder service" into main am: 9d965761ca
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2648124 Change-Id: I21567f881a585d96a3605f6f1e2d6380daf9bd73 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
0fb33095a4
6 changed files with 14 additions and 0 deletions
|
@ -343,6 +343,7 @@ var (
|
|||
"oem_lock": EXCEPTION_NO_FUZZER,
|
||||
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
|
||||
"otadexopt": EXCEPTION_NO_FUZZER,
|
||||
"ot_daemon": []string{"ot_daemon_service_fuzzer"},
|
||||
"overlay": EXCEPTION_NO_FUZZER,
|
||||
"pac_proxy": EXCEPTION_NO_FUZZER,
|
||||
"package": EXCEPTION_NO_FUZZER,
|
||||
|
|
|
@ -9,4 +9,5 @@
|
|||
snapuserd_log_data_file
|
||||
hal_threadnetwork_service
|
||||
virtual_camera_service
|
||||
ot_daemon_service
|
||||
))
|
||||
|
|
|
@ -17,4 +17,12 @@ allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
|
|||
allow ot_daemon threadnetwork_data_file:file create_file_perms;
|
||||
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
|
||||
|
||||
# Allow OT daemon to read/write the Thread tunnel interface
|
||||
allow ot_daemon tun_device:chr_file {read write};
|
||||
|
||||
hal_client_domain(ot_daemon, hal_threadnetwork)
|
||||
|
||||
# Only ot_daemon can publish the binder service
|
||||
binder_use(ot_daemon)
|
||||
add_service(ot_daemon, ot_daemon_service)
|
||||
binder_call(ot_daemon, system_server)
|
||||
|
|
|
@ -318,6 +318,7 @@ notification u:object_r:notification_service:s0
|
|||
oem_lock u:object_r:oem_lock_service:s0
|
||||
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
|
||||
otadexopt u:object_r:otadexopt_service:s0
|
||||
ot_daemon u:object_r:ot_daemon_service:s0
|
||||
overlay u:object_r:overlay_service:s0
|
||||
pac_proxy u:object_r:pac_proxy_service:s0
|
||||
package u:object_r:package_service:s0
|
||||
|
|
|
@ -296,6 +296,7 @@ binder_call(system_server, idmap)
|
|||
binder_call(system_server, installd)
|
||||
binder_call(system_server, incidentd)
|
||||
binder_call(system_server, netd)
|
||||
binder_call(system_server, ot_daemon)
|
||||
userdebug_or_eng(`binder_call(system_server, profcollectd)')
|
||||
binder_call(system_server, statsd)
|
||||
binder_call(system_server, storaged)
|
||||
|
@ -954,6 +955,7 @@ allow system_server mediadrmserver_service:service_manager find;
|
|||
allow system_server mediatuner_service:service_manager find;
|
||||
allow system_server netd_service:service_manager find;
|
||||
allow system_server nfc_service:service_manager find;
|
||||
allow system_server ot_daemon_service:service_manager find;
|
||||
allow system_server radio_service:service_manager find;
|
||||
allow system_server stats_service:service_manager find;
|
||||
allow system_server storaged_service:service_manager find;
|
||||
|
|
|
@ -37,6 +37,7 @@ type mediatranscoding_service, app_api_service, service_manager_type;
|
|||
type netd_service, service_manager_type;
|
||||
type nfc_service, service_manager_type;
|
||||
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
|
||||
type ot_daemon_service, service_manager_type;
|
||||
type radio_service, service_manager_type;
|
||||
type secure_element_service, service_manager_type;
|
||||
type service_manager_service, service_manager_type;
|
||||
|
|
Loading…
Reference in a new issue