1# 2# ot_daemon is the native Thread network stack on the host (Android) side. 3# Refer to https://www.threadgroup.org for Thread network knowledge. 4# 5 6# ot_daemon 7type ot_daemon, domain, coredomain; 8type ot_daemon_exec, exec_type, file_type, system_file_type; 9 10# Allow init ot_daemon 11init_daemon_domain(ot_daemon) 12# Allow the ot_daemon to use the net domain. 13net_domain(ot_daemon) 14 15# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering 16allow ot_daemon apex_module_data_file:dir search; 17 18# Allow the ot_daemon to access files and subdirectories under 19# /data/misc/apexdata/com\.android\.tethering 20allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms}; 21allow ot_daemon apex_tethering_data_file:file create_file_perms; 22 23# Allow OT daemon to read/write the Thread tunnel interface 24allow ot_daemon tun_device:chr_file {read write}; 25 26# Allow OT daemon to read/write on the socket created by System Server 27allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl; 28 29# Allow OT daemon to read/write on the UDP sockets created by system server 30allow ot_daemon system_server:udp_socket rw_socket_perms; 31 32hal_client_domain(ot_daemon, hal_threadnetwork) 33 34# Only ot_daemon can publish the binder service 35binder_use(ot_daemon) 36add_service(ot_daemon, ot_daemon_service) 37binder_call(ot_daemon, system_server) 38 39# Allow OT daemon to write to statsd 40unix_socket_send(ot_daemon, statsdw, statsd) 41 42# For collecting bugreports. 43allow ot_daemon dumpstate:fd use; 44allow ot_daemon dumpstate:fifo_file write; 45 46# ot-daemon socket is for only ot-daemon and ot-ctl 47neverallow { 48 domain 49 -ot_daemon 50 userdebug_or_eng(`-ot_ctl') 51 -init 52 -vendor_init 53} ot_daemon_socket:sock_file *; 54