e21496b105
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
/data/misc/apexdata/com.android.tethering
The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.
Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)? u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.
Bug: 309932508
Test: manually verified that Thread settings file can be written to
/data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
42 lines
1.4 KiB
Text
42 lines
1.4 KiB
Text
#
|
|
# ot_daemon is the native Thread network stack on the host (Android) side.
|
|
# Refer to https://www.threadgroup.org for Thread network knowledge.
|
|
#
|
|
|
|
# ot_daemon
|
|
type ot_daemon, domain, coredomain;
|
|
type ot_daemon_exec, exec_type, file_type, system_file_type;
|
|
|
|
# Allow init ot_daemon
|
|
init_daemon_domain(ot_daemon)
|
|
# Allow the ot_daemon to use the net domain.
|
|
net_domain(ot_daemon)
|
|
|
|
# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
|
|
allow ot_daemon apex_module_data_file:dir search;
|
|
|
|
# Allow the ot_daemon to access files and subdirectories under
|
|
# /data/misc/apexdata/com\.android\.tethering
|
|
allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
|
|
allow ot_daemon apex_tethering_data_file:file create_file_perms;
|
|
allow ot_daemon apex_tethering_data_file:sock_file {create unlink};
|
|
|
|
# Allow OT daemon to read/write the Thread tunnel interface
|
|
allow ot_daemon tun_device:chr_file {read write};
|
|
|
|
# Allow OT daemon to read/write on the socket created by System Server
|
|
allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;
|
|
|
|
hal_client_domain(ot_daemon, hal_threadnetwork)
|
|
|
|
# Only ot_daemon can publish the binder service
|
|
binder_use(ot_daemon)
|
|
add_service(ot_daemon, ot_daemon_service)
|
|
binder_call(ot_daemon, system_server)
|
|
|
|
# Allow OT daemon to write to statsd
|
|
unix_socket_send(ot_daemon, statsdw, statsd)
|
|
|
|
# For collecting bugreports.
|
|
allow ot_daemon dumpstate:fd use;
|
|
allow ot_daemon dumpstate:fifo_file write;
|