diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index ba9ce9628..300fbe065 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -343,6 +343,7 @@ var ( "oem_lock": EXCEPTION_NO_FUZZER, "ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER, "otadexopt": EXCEPTION_NO_FUZZER, + "ot_daemon": []string{"ot_daemon_service_fuzzer"}, "overlay": EXCEPTION_NO_FUZZER, "pac_proxy": EXCEPTION_NO_FUZZER, "package": EXCEPTION_NO_FUZZER, diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil index 47d6719eb..af13c62f5 100644 --- a/private/compat/34.0/34.0.ignore.cil +++ b/private/compat/34.0/34.0.ignore.cil @@ -9,4 +9,5 @@ snapuserd_log_data_file hal_threadnetwork_service virtual_camera_service + ot_daemon_service )) diff --git a/private/ot_daemon.te b/private/ot_daemon.te index b22ff90fb..cdf5486f5 100644 --- a/private/ot_daemon.te +++ b/private/ot_daemon.te @@ -17,4 +17,12 @@ allow ot_daemon threadnetwork_data_file:dir rw_dir_perms; allow ot_daemon threadnetwork_data_file:file create_file_perms; allow ot_daemon threadnetwork_data_file:sock_file {create unlink}; +# Allow OT daemon to read/write the Thread tunnel interface +allow ot_daemon tun_device:chr_file {read write}; + hal_client_domain(ot_daemon, hal_threadnetwork) + +# Only ot_daemon can publish the binder service +binder_use(ot_daemon) +add_service(ot_daemon, ot_daemon_service) +binder_call(ot_daemon, system_server) diff --git a/private/service_contexts b/private/service_contexts index 936ec6a7e..090469618 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -318,6 +318,7 @@ notification u:object_r:notification_service:s0 oem_lock u:object_r:oem_lock_service:s0 ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0 otadexopt u:object_r:otadexopt_service:s0 +ot_daemon u:object_r:ot_daemon_service:s0 overlay u:object_r:overlay_service:s0 pac_proxy u:object_r:pac_proxy_service:s0 package u:object_r:package_service:s0 diff --git a/private/system_server.te b/private/system_server.te index 47805a42c..53aae7634 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -296,6 +296,7 @@ binder_call(system_server, idmap) binder_call(system_server, installd) binder_call(system_server, incidentd) binder_call(system_server, netd) +binder_call(system_server, ot_daemon) userdebug_or_eng(`binder_call(system_server, profcollectd)') binder_call(system_server, statsd) binder_call(system_server, storaged) @@ -955,6 +956,7 @@ allow system_server mediadrmserver_service:service_manager find; allow system_server mediatuner_service:service_manager find; allow system_server netd_service:service_manager find; allow system_server nfc_service:service_manager find; +allow system_server ot_daemon_service:service_manager find; allow system_server radio_service:service_manager find; allow system_server stats_service:service_manager find; allow system_server storaged_service:service_manager find; diff --git a/public/service.te b/public/service.te index c01e5491a..709059d47 100644 --- a/public/service.te +++ b/public/service.te @@ -37,6 +37,7 @@ type mediatranscoding_service, app_api_service, service_manager_type; type netd_service, service_manager_type; type nfc_service, service_manager_type; type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type; +type ot_daemon_service, service_manager_type; type radio_service, service_manager_type; type secure_element_service, service_manager_type; type service_manager_service, service_manager_type;