private/ot_daemon.te - LeafOS-Project/android_system_sepolicy - Gitiles

 #
 # ot_daemon is the native Thread network stack on the host (Android) side.
 # Refer to https://www.threadgroup.org for Thread network knowledge.
 #

 # ot_daemon
 type ot_daemon, domain, coredomain;
 type ot_daemon_exec, exec_type, file_type, system_file_type;

 # Allow init ot_daemon
 init_daemon_domain(ot_daemon)
 # Allow the ot_daemon to use the net domain.
 net_domain(ot_daemon)

 # Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
 allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
 allow ot_daemon threadnetwork_data_file:file create_file_perms;
 allow ot_daemon threadnetwork_data_file:sock_file {create unlink};

 # Allow OT daemon to read/write the Thread tunnel interface
 allow ot_daemon tun_device:chr_file {read write};

 hal_client_domain(ot_daemon, hal_threadnetwork)

 # Only ot_daemon can publish the binder service
 binder_use(ot_daemon)
 add_service(ot_daemon, ot_daemon_service)
 binder_call(ot_daemon, system_server)
	#
	# ot_daemon is the native Thread network stack on the host (Android) side.
	# Refer to https://www.threadgroup.org for Thread network knowledge.
	#

	# ot_daemon
	type ot_daemon, domain, coredomain;
	type ot_daemon_exec, exec_type, file_type, system_file_type;

	# Allow init ot_daemon
	init_daemon_domain(ot_daemon)
	# Allow the ot_daemon to use the net domain.
	net_domain(ot_daemon)

	# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
	allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
	allow ot_daemon threadnetwork_data_file:file create_file_perms;
	allow ot_daemon threadnetwork_data_file:sock_file {create unlink};

	# Allow OT daemon to read/write the Thread tunnel interface
	allow ot_daemon tun_device:chr_file {read write};

	hal_client_domain(ot_daemon, hal_threadnetwork)

	# Only ot_daemon can publish the binder service
	binder_use(ot_daemon)
	add_service(ot_daemon, ot_daemon_service)
	binder_call(ot_daemon, system_server)