add sepolicy rules for OT daemon binder service
Bug: 262681784
Change-Id: I3b4d3603709a761ad1410b81c0e5b4e4fc51c43c
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f7e67d8..e373908 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -341,6 +341,7 @@
"oem_lock": EXCEPTION_NO_FUZZER,
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
+ "ot_daemon": []string{"ot_daemon_service_fuzzer"},
"overlay": EXCEPTION_NO_FUZZER,
"pac_proxy": EXCEPTION_NO_FUZZER,
"package": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 47d6719..af13c62 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,4 +9,5 @@
snapuserd_log_data_file
hal_threadnetwork_service
virtual_camera_service
+ ot_daemon_service
))
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index b22ff90..cdf5486 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -17,4 +17,12 @@
allow ot_daemon threadnetwork_data_file:file create_file_perms;
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow OT daemon to read/write the Thread tunnel interface
+allow ot_daemon tun_device:chr_file {read write};
+
hal_client_domain(ot_daemon, hal_threadnetwork)
+
+# Only ot_daemon can publish the binder service
+binder_use(ot_daemon)
+add_service(ot_daemon, ot_daemon_service)
+binder_call(ot_daemon, system_server)
diff --git a/private/service_contexts b/private/service_contexts
index 94f913d..3b1a887 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -317,6 +317,7 @@
oem_lock u:object_r:oem_lock_service:s0
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
otadexopt u:object_r:otadexopt_service:s0
+ot_daemon u:object_r:ot_daemon_service:s0
overlay u:object_r:overlay_service:s0
pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index cacb3c8..119a7ca 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -296,6 +296,7 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -954,6 +955,7 @@
allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
+allow system_server ot_daemon_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index fa19abc..39cbb10 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
+type ot_daemon_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;