#
# ot_daemon is the native Thread network stack on the host (Android) side.
# Refer to https://www.threadgroup.org for Thread network knowledge.
#

# ot_daemon
type ot_daemon, domain, coredomain;
type ot_daemon_exec, exec_type, file_type, system_file_type;

# Allow init ot_daemon
init_daemon_domain(ot_daemon)
# Allow the ot_daemon to use the net domain.
net_domain(ot_daemon)

# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
allow ot_daemon apex_module_data_file:dir search;

# Allow the ot_daemon to access files and subdirectories under
# /data/misc/apexdata/com\.android\.tethering
allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
allow ot_daemon apex_tethering_data_file:file create_file_perms;

# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};

# Allow OT daemon to read/write on the socket created by System Server
allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;

hal_client_domain(ot_daemon, hal_threadnetwork)

# Only ot_daemon can publish the binder service
binder_use(ot_daemon)
add_service(ot_daemon, ot_daemon_service)
binder_call(ot_daemon, system_server)

# Allow OT daemon to write to statsd
unix_socket_send(ot_daemon, statsdw, statsd)

# For collecting bugreports.
allow ot_daemon dumpstate:fd use;
allow ot_daemon dumpstate:fifo_file write;

# ot-daemon socket is for only ot-daemon and ot-ctl
neverallow {
  domain
  -ot_daemon
  userdebug_or_eng(`-ot_ctl')
  -init
  -vendor_init
} ot_daemon_socket:sock_file *;