Gitiles
Code Review Sign In
review.blissroms.org / platform_device_qcom_sepolicy-legacy / refs/heads/t / . / common / cnd.te
blob: 4b1ed3892713b86a564bcafed13193ef1d93d616 [file] [log] [blame]
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]1#permissive cnd;
Biswajit Paul6786a922017-03-16 11:53:53 -0700[diff] [blame]2type cnd, domain, mlstrustedsubject;
Ravi Kumar Siddojigaric7def122017-06-13 00:49:19 +0530[diff] [blame]3type cnd_exec, exec_type, vendor_file_type, file_type;
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]4file_type_auto_trans(cnd, socket_device, cnd_socket);
5
6# cnd is started by init, type transit from init domain to cnd domain
7init_daemon_domain(cnd)
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]8
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]9# associate netdomain as an attribute of cnd domain
10net_domain(cnd)
11
Biswajit Paul64f83f62014-10-13 14:36:16 -0700[diff] [blame]12allow cnd smem_log_device:chr_file rw_file_perms;
13
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]14# allow cnd the following capability
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]15allow cnd self:capability {
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]16 net_admin
17 sys_module
Sunmeet Gille7e5f012016-06-30 16:01:07 -0700[diff] [blame]18 net_bind_service
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]19};
20
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]21allow cnd self:capability2 block_suspend;
22
23# socket used to communicate with kernel via the netlink syscall
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]24allow cnd self:{
25 netlink_tcpdiag_socket
26 netlink_route_socket
27 netlink_socket
Biswajit Paulc6024d22016-07-06 17:35:41 -0700[diff] [blame]28 netlink_generic_socket
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]29 # allow cnd to perform socket operation on itself
30 socket
Biswajit Paul2d35d982017-02-01 17:40:10 -0800[diff] [blame]31} create_socket_perms_no_ioctl;
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]32
Sanket Khidkikar83999622015-08-19 11:03:48 -0700[diff] [blame]33# allow cnd to read tcp diagnostics through netlink
34allow cnd self:netlink_tcpdiag_socket nlmsg_read;
35
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]36# allow cnd to set system property
sahil madekaa3608c92017-05-12 15:41:40 -0700[diff] [blame]37set_prop(cnd, system_prop)
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]38
39# allow cnd to access cnd_data_file
40allow cnd cnd_data_file:file create_file_perms;
41allow cnd cnd_data_file:sock_file { unlink create setattr };
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]42allow cnd cnd_data_file:dir rw_dir_perms;
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]43
44# allow cnd to access qmux_radio_socket
Biswajit Paul64f83f62014-10-13 14:36:16 -0700[diff] [blame]45qmux_socket(cnd)
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]46
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]47# allow cnd to access wpa_socket
Devi Sandeep Endluri V V98379eb2017-06-20 22:19:40 -0700[diff] [blame]48unix_socket_send(cnd, wpa, hal_wifi_supplicant)
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]49allow cnd wpa_socket:dir rw_dir_perms;
50allow cnd wpa_socket:sock_file { create unlink setattr };
Devi Sandeep Endluri V V3e2b4522017-08-09 20:48:01 +0530[diff] [blame]51allow cnd wifi_data_file:dir r_dir_perms;
Devi Sandeep Endluri V V98379eb2017-06-20 22:19:40 -0700[diff] [blame]52allow cnd wifi_vendor_data_file:dir r_dir_perms;
Ayishwarya Narasimhan03b22d22017-08-02 15:29:55 -0700[diff] [blame]53allow cnd wifi_vendor_wpa_socket:sock_file write;
Devi Sandeep Endluri V V98379eb2017-06-20 22:19:40 -0700[diff] [blame]54
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]55# allow cnd to obtain wakelock
Avijit Kanti Das441bad42015-05-12 14:07:41 -0700[diff] [blame]56wakelock_use(cnd)
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]57
Boxiang Pan278d3e92015-04-07 17:52:17 -0700[diff] [blame]58# allow cnd to get appname and use inet socket
Ravi Kumar Siddojigaric7def122017-06-13 00:49:19 +0530[diff] [blame]59#cnd_nims_socket_perm(appdomain)
60#cnd_nims_socket_perm(system_server)
61#cnd_nims_socket_perm(mediaserver)
62#cnd_nims_socket_perm(mtp)
63#cnd_nims_socket_perm(wfdservice)
64#cnd_nims_socket_perm(drmserver)
Sanket Khidkikaradfecd92015-02-13 18:06:23 -0800[diff] [blame]65
Sanket Khidkikaradfecd92015-02-13 18:06:23 -0800[diff] [blame]66# allow access to nims
67allow cnd socket_device:dir remove_name;
Ravinder Konka573a0372015-05-27 17:24:39 +0530[diff] [blame]68
Bryse Flowers8054fe62015-06-16 10:57:02 -0700[diff] [blame]69# explicitly allow udp socket permissions for appdomain
Ravi Kumar Siddojigaric7def122017-06-13 00:49:19 +0530[diff] [blame]70#allow cnd appdomain:udp_socket rw_socket_perms;
Boxiang Pana5ec4ab2015-08-06 12:39:02 -0700[diff] [blame]71
Michael Bestas0feb07d2018-10-05 00:37:23 +0300[diff] [blame]72#allow cnd daemon to invoke hostapd_cli
73allow cnd vendor_shell_exec:file rx_file_perms;
74domain_auto_trans(cnd, hostapd_exec, hostapd)
75allow cnd hostapd_socket:dir r_dir_perms;
76unix_socket_send(cnd, hostapd, hostapd)
77
Sanket Khidkikar2e10de32015-10-05 20:26:00 -0700[diff] [blame]78# only allow getopt for appdomain
79allow appdomain zygote:unix_dgram_socket getopt;
80dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt;
Biswajit Paul277acbb2016-07-20 12:02:14 -0700[diff] [blame]81
82#diag
83userdebug_or_eng(`
84 diag_use(cnd)
85')
Biswajit Paulf63bd142017-03-16 16:41:02 -0700[diff] [blame]86
87allow cnd proc_meminfo:file r_file_perms;
88allow cnd self:socket ioctl;
89allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;
Devi Sandeep Endluri V Vbc24d252017-08-08 20:51:03 +0530[diff] [blame]90
91allow cnd self:udp_socket ioctl;
92allowxperm cnd self:udp_socket ioctl wlan_sock_ioctls;
93
Biswajit Paulf63bd142017-03-16 16:41:02 -0700[diff] [blame]94allow cnd sysfs:file r_file_perms;
Sunmeet Gill575d2492017-05-22 19:03:52 -0700[diff] [blame]95allow cnd sysfs_data:file r_file_perms;
Devi Sandeep Endluri V V98379eb2017-06-20 22:19:40 -0700[diff] [blame]96
97add_hwservice(cnd, hal_cne_hwservice)
Tyler Wearaa7b6c82017-09-06 13:14:16 -0700[diff] [blame]98add_hwservice(cnd, hal_latency_hwservice)
Devi Sandeep Endluri V V98379eb2017-06-20 22:19:40 -0700[diff] [blame]99hwbinder_use(cnd)
100get_prop(cnd, hwservicemanager_prop)
Nolen Johnson22b912c2020-06-26 15:46:09 -0400[diff] [blame]101get_prop(cnd, wifi_prop)
Devi Sandeep Endluri V V98379eb2017-06-20 22:19:40 -0700[diff] [blame]102binder_call(cnd, dataservice_app)
103binder_call(cnd, ims)