[Thread] limit ot-daemon socket to ot-ctl

It's better to explicitly disallow access to ot-daemon from other than
ot-ctl.

Bug: 323502847
Change-Id: Ic46ad4e8f3a1d21bbfc9f4f01e6a692aafcdb815
This commit is contained in:
Kangping Dong 2024-02-29 23:43:34 +08:00
parent 7fdf451d8d
commit 90495cc79f
4 changed files with 23 additions and 0 deletions

View file

@ -367,6 +367,7 @@
/system/bin/mediatranscoding mediatranscoding_exec /system/bin/mediatranscoding mediatranscoding_exec
/system/bin/mediatuner mediatuner_exec /system/bin/mediatuner mediatuner_exec
/system/bin/mdnsd mdnsd_exec /system/bin/mdnsd mdnsd_exec
/system/bin/ot-ctl ot_ctl_exec
/system/bin/installd installd_exec /system/bin/installd installd_exec
/system/bin/otapreopt_chroot otapreopt_chroot_exec /system/bin/otapreopt_chroot otapreopt_chroot_exec
/system/bin/otapreopt_slot otapreopt_slot_exec /system/bin/otapreopt_slot otapreopt_slot_exec

View file

@ -288,6 +288,7 @@
/system/bin/vold u:object_r:vold_exec:s0 /system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0 /system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0 /system/bin/wificond u:object_r:wificond_exec:s0
/system/bin/ot-ctl u:object_r:ot_ctl_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0 /system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0 /system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0 /system/bin/mediaserver u:object_r:mediaserver_exec:s0

12
private/ot_ctl.te Normal file
View file

@ -0,0 +1,12 @@
#
# ot-ctl is a command line tool for controlling ot-daemon
#
type ot_ctl, domain, coredomain;
type ot_ctl_exec, exec_type, file_type, system_file_type;
# ot-ctl is available in only userdebug or eng build
userdebug_or_eng(`
# ot-ctl connects to ot-daemon via the socket
allow ot_ctl ot_daemon_socket:sock_file rw_file_perms;
')

View file

@ -39,3 +39,12 @@ unix_socket_send(ot_daemon, statsdw, statsd)
# For collecting bugreports. # For collecting bugreports.
allow ot_daemon dumpstate:fd use; allow ot_daemon dumpstate:fd use;
allow ot_daemon dumpstate:fifo_file write; allow ot_daemon dumpstate:fifo_file write;
# ot-daemon socket is for only ot-daemon and ot-ctl
neverallow {
domain
-ot_daemon
userdebug_or_eng(`-ot_ctl')
-init
-vendor_init
} ot_daemon_socket:sock_file *;