private/dpmd.te

# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above
#       copyright notice, this list of conditions and the following
#       disclaimer in the documentation and/or other materials provided
#       with the distribution.
#     * Neither the name of The Linux Foundation nor the names of its
#       contributors may be used to endorse or promote products derived
#       from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


typeattribute dpmd coredomain;
typeattribute dpmd mlstrustedsubject;
type dpmd_exec, system_file_type, exec_type, file_type;

init_daemon_domain(dpmd)

net_domain(dpmd)

allow dpmd {
    dpmd_exec
    system_file
}:file x_file_perms;

allow dpmd dpmd_data_file:file create_file_perms;
allow dpmd dpmd_data_file:dir create_dir_perms;
r_dir_file(dpmd,proc_net)

allow dpmd self:capability {
    setuid
    net_raw
    net_admin
};

allow dpmd self:capability2 wake_alarm;

r_dir_file(dpmd, appdomain)

wakelock_use(dpmd)
allow dpmd shell_exec:file rx_file_perms;
dontaudit dpmd self:capability sys_module;
set_prop(dpmd, persist_dpm_prop)
get_prop(dpmd, persist_dpm_prop)
#allow dpmd to create socket
allow dpmd self:socket create_socket_perms_no_ioctl;
allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
dpmd_socket_perm(priv_app)
dpmd_socket_perm(system_server)
dpmd_socket_perm(system_app)
dpmd_socket_perm(untrusted_app)
dpmd_socket_perm(untrusted_app_25)
dpmd_socket_perm(platform_app)
#allow dpmd to write to /proc/net/sys
allow dpmd proc_net:file write;