| # |
| # ot_daemon is the native Thread network stack on the host (Android) side. |
| # Refer to https://www.threadgroup.org for Thread network knowledge. |
| # |
| |
| # ot_daemon |
| type ot_daemon, domain, coredomain; |
| type ot_daemon_exec, exec_type, file_type, system_file_type; |
| |
| # Allow init ot_daemon |
| init_daemon_domain(ot_daemon) |
| # Allow the ot_daemon to use the net domain. |
| net_domain(ot_daemon) |
| |
| # Allow ot_daemon to find /data/misc/apexdata/com.android.tethering |
| allow ot_daemon apex_module_data_file:dir search; |
| |
| # Allow the ot_daemon to access files and subdirectories under |
| # /data/misc/apexdata/com\.android\.tethering |
| allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms}; |
| allow ot_daemon apex_tethering_data_file:file create_file_perms; |
| allow ot_daemon apex_tethering_data_file:sock_file {create unlink}; |
| |
| # Allow OT daemon to read/write the Thread tunnel interface |
| allow ot_daemon tun_device:chr_file {read write}; |
| |
| # Allow OT daemon to read/write on the socket created by System Server |
| allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl; |
| |
| hal_client_domain(ot_daemon, hal_threadnetwork) |
| |
| # Only ot_daemon can publish the binder service |
| binder_use(ot_daemon) |
| add_service(ot_daemon, ot_daemon_service) |
| binder_call(ot_daemon, system_server) |
| |
| # Allow OT daemon to write to statsd |
| unix_socket_send(ot_daemon, statsdw, statsd) |
| |
| # For collecting bugreports. |
| allow ot_daemon dumpstate:fd use; |
| allow ot_daemon dumpstate:fifo_file write; |