| # Copyright (c) 2019, The Linux Foundation. All rights reserved. |
| # |
| # Redistribution and use in source and binary forms, with or without |
| # modification, are permitted provided that the following conditions are |
| # met: |
| # * Redistributions of source code must retain the above copyright |
| # notice, this list of conditions and the following disclaimer. |
| # * Redistributions in binary form must reproduce the above |
| # copyright notice, this list of conditions and the following |
| # disclaimer in the documentation and/or other materials provided |
| # with the distribution. |
| # * Neither the name of The Linux Foundation nor the names of its |
| # contributors may be used to endorse or promote products derived |
| # from this software without specific prior written permission. |
| # |
| # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED |
| # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT |
| # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS |
| # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
| # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
| # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE |
| # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
| # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| |
| set_prop(vendor_cnd, vendor_cnd_vendor_prop) |
| |
| net_domain(vendor_cnd) |
| |
| allow vendor_cnd vendor_smem_log_device:chr_file rw_file_perms; |
| |
| # allow vendor_cnd the following capability |
| allow vendor_cnd self:capability { |
| net_raw |
| net_admin |
| }; |
| |
| allow vendor_cnd self:{ |
| netlink_tcpdiag_socket |
| netlink_route_socket |
| } create_socket_perms_no_ioctl; |
| |
| # allow vendor_cnd to access wpa_socket |
| allow vendor_cnd vendor_wifi_vendor_data_file:dir r_dir_perms; |
| allow vendor_cnd vendor_wifi_vendor_wpa_socket:sock_file write; |
| |
| # allow vendor_cnd to read wifi_hal_prop |
| get_prop(vendor_cnd, wifi_hal_prop) |
| |
| #allow vendor_cnd daemon to invoke hostapd_cli |
| domain_auto_trans(vendor_cnd, vendor_hostapd_exec, vendor_hostapd) |
| allow vendor_cnd vendor_hostapd_socket:dir r_dir_perms; |
| unix_socket_send(vendor_cnd, vendor_hostapd, vendor_hostapd) |
| |
| # only allow getopt for appdomain |
| allow appdomain zygote:unix_dgram_socket getopt; |
| dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt; |
| |
| allow vendor_cnd self:socket create_socket_perms_no_ioctl; |
| |
| allowxperm vendor_cnd self:udp_socket ioctl wlan_sock_ioctls; |
| |
| add_hwservice(vendor_cnd, vendor_hal_latency_hwservice) |
| |
| add_hwservice(vendor_cnd, vendor_hal_slmadapter_hwservice) |
| |
| get_prop(vendor_cnd, vendor_slm_prop) |
| |
| hal_server_domain_bypass(vendor_cnd, vendor_hal_mwqemadapter_qti) |
| binder_call(vendor_hal_mwqemadapter_qti_client, vendor_hal_mwqemadapter_qti_server) |
| binder_call(vendor_hal_mwqemadapter_qti_server, vendor_hal_mwqemadapter_qti_client) |
| hal_attribute_hwservice(vendor_hal_mwqemadapter_qti, vendor_hal_mwqemadapter_hwservice) |
| |
| get_prop(vendor_cnd, vendor_mwqem_prop) |
| |
| use_shsusrd_socket(vendor_cnd) |
| |
| hal_client_domain(vendor_cnd,hal_wifi_hostapd) |
| |
| hal_client_domain(vendor_cnd,hal_wifi_supplicant) |
| |
| # allow cnd to access wpa_socket |
| allow vendor_cnd vendor_wifi_vendor_data_file:dir r_dir_perms; |
| allow vendor_cnd vendor_wifi_vendor_wpa_socket:sock_file write; |
| |
| #communicating with wpa supplicant for sending commands/listening to events |
| unix_socket_send(vendor_cnd, wpa, hal_wifi_supplicant) |
| allow vendor_cnd wpa_data_file:dir w_dir_perms; |
| allow vendor_cnd wpa_data_file:sock_file create_file_perms; |
| |
| |
| #communicating with hostapd for sending commands/listening to events |
| allow vendor_cnd hostapd_data_file:dir rw_dir_perms; |
| allow vendor_cnd hostapd_data_file:sock_file create_file_perms; |
| allow vendor_cnd { hal_wifi_hostapd_default }:unix_dgram_socket sendto; |
| |
| vndbinder_use(vendor_cnd) |
| allow vendor_cnd vendor_nwmgr_service:service_manager find; |
| |
| dontaudit vndservicemanager vendor_cnd:binder call; |
| |
| ############################################################## |
| #for using public interface vendor.qti.data.factory |
| #client should add their domain to vendor_cnd.te |
| ############################################################## |
| userdebug_or_eng(` |
| binder_call(vendor_cnd, radio) |
| diag_use(vendor_cnd) |
| ') |