| #permissive cnd; |
| type cnd, domain; |
| type cnd_exec, exec_type, file_type; |
| file_type_auto_trans(cnd, socket_device, cnd_socket); |
| |
| # cnd is started by init, type transit from init domain to cnd domain |
| init_daemon_domain(cnd) |
| # associate netdomain as an attribute of cnd domain |
| net_domain(cnd) |
| |
| allow cnd smem_log_device:chr_file rw_file_perms; |
| |
| # allow cnd the following capability |
| allow cnd self:capability { setuid setgid dac_override net_raw chown |
| fsetid net_admin sys_module }; |
| allow cnd self:capability2 block_suspend; |
| |
| # socket used to communicate with kernel via the netlink syscall |
| allow cnd self:netlink_tcpdiag_socket { bind create write read |
| nlmsg_read getopt}; |
| allow cnd self:netlink_route_socket { read bind create write |
| nlmsg_read }; |
| allow cnd self:netlink_socket { create setopt getopt bind getattr write read }; |
| |
| # allow cnd to set system property |
| allow cnd system_prop:property_service set; |
| allow cnd property_socket:sock_file write; |
| allow cnd init:unix_stream_socket connectto; |
| |
| # allow cnd to communicate with wlan driver |
| allow cnd kernel:system module_request; |
| |
| # allow cnd to access cnd_data_file |
| allow cnd cnd_data_file:file create_file_perms; |
| allow cnd cnd_data_file:sock_file { unlink create setattr }; |
| allow cnd cnd_data_file:dir { open read write add_name remove_name search }; |
| |
| # allow cnd to access qmux_radio_socket |
| qmux_socket(cnd) |
| |
| # cnd access diag_device /dev/diag for logging |
| allow cnd diag_device:chr_file { read write open ioctl }; |
| |
| # allow cnd to access wpa_socket |
| allow cnd wpa:unix_dgram_socket sendto; |
| allow cnd wpa_socket:dir { write remove_name search add_name search }; |
| allow cnd wpa_socket:sock_file { write create unlink setattr }; |
| allow cnd wifi_data_file:dir search; |
| # allow cnd to obtain wakelock |
| allow cnd sysfs_wake_lock:file { open append }; |
| |
| # allow cnd to communicate with all application |
| allow cnd appdomain:dir search; |
| allow cnd appdomain:fd use; |
| allow cnd appdomain:file { read open }; |
| allow cnd appdomain:tcp_socket rw_socket_perms; |
| |
| # allow cnd to communicate with system_server |
| allow cnd system_server:dir search; |
| allow cnd system_server:file { read open }; |
| allow cnd system_server:tcp_socket { write getattr shutdown getopt read bind }; |
| |
| # allow cnd to communicate with mediaserver |
| allow cnd mediaserver:dir search; |
| allow cnd mediaserver:fd use; |
| allow cnd mediaserver:tcp_socket { read write bind getattr shutdown getopt }; |
| allow cnd mediaserver:file { open read }; |
| |
| # allow cnd to perform socket operation on itself |
| allow cnd self:socket create_socket_perms; |
| |
| # allow cnd to access ipa_dev |
| allow cnd ipa_dev:chr_file r_file_perms; |
| |
| # allow access to nims |
| allow cnd socket_device:dir remove_name; |