1*e4a36f41SAndroid Build Coastguard Worker# 2*e4a36f41SAndroid Build Coastguard Worker# ot_daemon is the native Thread network stack on the host (Android) side. 3*e4a36f41SAndroid Build Coastguard Worker# Refer to https://www.threadgroup.org for Thread network knowledge. 4*e4a36f41SAndroid Build Coastguard Worker# 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# ot_daemon 7*e4a36f41SAndroid Build Coastguard Workertype ot_daemon, domain, coredomain; 8*e4a36f41SAndroid Build Coastguard Workertype ot_daemon_exec, exec_type, file_type, system_file_type; 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# Allow init ot_daemon 11*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(ot_daemon) 12*e4a36f41SAndroid Build Coastguard Worker# Allow the ot_daemon to use the net domain. 13*e4a36f41SAndroid Build Coastguard Workernet_domain(ot_daemon) 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering 16*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon apex_module_data_file:dir search; 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker# Allow the ot_daemon to access files and subdirectories under 19*e4a36f41SAndroid Build Coastguard Worker# /data/misc/apexdata/com\.android\.tethering 20*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms}; 21*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon apex_tethering_data_file:file create_file_perms; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Allow OT daemon to read/write the Thread tunnel interface 24*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon tun_device:chr_file {read write}; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# Allow OT daemon to read/write on the socket created by System Server 27*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Allow OT daemon to read/write on the UDP sockets created by system server 30*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon system_server:udp_socket rw_socket_perms; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(ot_daemon, hal_threadnetwork) 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Only ot_daemon can publish the binder service 35*e4a36f41SAndroid Build Coastguard Workerbinder_use(ot_daemon) 36*e4a36f41SAndroid Build Coastguard Workeradd_service(ot_daemon, ot_daemon_service) 37*e4a36f41SAndroid Build Coastguard Workerbinder_call(ot_daemon, system_server) 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# Allow OT daemon to write to statsd 40*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(ot_daemon, statsdw, statsd) 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# For collecting bugreports. 43*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon dumpstate:fd use; 44*e4a36f41SAndroid Build Coastguard Workerallow ot_daemon dumpstate:fifo_file write; 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Worker# ot-daemon socket is for only ot-daemon and ot-ctl 47*e4a36f41SAndroid Build Coastguard Workerneverallow { 48*e4a36f41SAndroid Build Coastguard Worker domain 49*e4a36f41SAndroid Build Coastguard Worker -ot_daemon 50*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-ot_ctl') 51*e4a36f41SAndroid Build Coastguard Worker -init 52*e4a36f41SAndroid Build Coastguard Worker -vendor_init 53*e4a36f41SAndroid Build Coastguard Worker} ot_daemon_socket:sock_file *; 54