platform_system_sepolicy/public/rild.te

# rild - radio interface layer daemon
type rild, domain, domain_deprecated;
hal_server_domain(rild, hal_telephony)

net_domain(rild)
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;

allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
allow rild self:capability { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
allow rild cgroup:{ file lnk_file } r_file_perms;
allow rild radio_device:chr_file rw_file_perms;
allow rild radio_device:blk_file r_file_perms;
allow rild mtd_device:dir search;
allow rild efs_file:dir create_dir_perms;
allow rild efs_file:file create_file_perms;
allow rild shell_exec:file rx_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
allow rild system_data_file:dir r_dir_perms;
allow rild system_data_file:file r_file_perms;
allow rild system_file:file x_file_perms;

# property service
set_prop(rild, radio_prop)

allow rild tty_device:chr_file rw_file_perms;

# Allow rild to create and use netlink sockets.
allow rild self:netlink_socket create_socket_perms_no_ioctl;
allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;

# Access to wake locks
wakelock_use(rild)

r_dir_file(rild, proc)
r_dir_file(rild, proc_net)
r_dir_file(rild, sysfs_type)
r_dir_file(rild, system_file)

# granting the ioctl permission for rild should be device specific
allow rild self:socket create_socket_perms_no_ioctl;