common/dpmd.te - platform_device_qcom_sepolicy - Gitiles

 #dpmd as domain
 type dpmd, domain, mlstrustedsubject;
 type dpmd_exec, exec_type, file_type;
 file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
 init_daemon_domain(dpmd)
 net_domain(dpmd)
 allow dpmd {
     dpmd_exec
     system_file
 }:file x_file_perms;

 #allow dpmd to access dpm_data_file
 allow dpmd dpmd_data_file:file create_file_perms;
 allow dpmd dpmd_data_file:dir create_dir_perms;

 #allow dpmd to access qmux radio socket
 qmux_socket(dpmd);

 allow dpmd sysfs_wake_lock:file rw_file_perms;

 #self capability
 allow dpmd self:{
     socket
     netlink_socket
 } rw_socket_perms;

 allow dpmd self:capability {
     setuid
     setgid
     dac_override
     net_raw chown
     fsetid
     net_admin
     sys_module
 };

 #socket, self
 allow dpmd smem_log_device:chr_file rw_file_perms;
 unix_socket_connect(dpmd, property, init)
 wakelock_use(dpmd)

 allow dpmd {
     system_prop
     ctl_default_prop
 }:property_service set;

 #misc.
 allow dpmd shell_exec:file rx_file_perms;

 #permission to unlink dpmwrapper socket
 allow dpmd socket_device:dir remove_name;

 #permission to communicate with cnd_socket for installing iptable rules
 unix_socket_connect(dpmd, cnd, cnd);

 #allow dpmd to create socket
 allow dpmd self:socket create_socket_perms;
 allow dpmd self:netlink_socket create_socket_perms;

 #allow dpmd to write to /proc/net/sys
 allow dpmd proc_net:file write;

 #allow dpmd get appname and use inet socket.
 dpmd_socket_perm(appdomain)
 dpmd_socket_perm(system_server)
 dpmd_socket_perm(mediaserver)
 dpmd_socket_perm(mtp)
 dpmd_socket_perm(wfdservice)
 dpmd_socket_perm(drmserver)

 #explicitly allow udp socket permissions for appdomain
 allow dpmd appdomain:udp_socket rw_socket_perms;
	#dpmd as domain
	type dpmd, domain, mlstrustedsubject;
	type dpmd_exec, exec_type, file_type;
	file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
	init_daemon_domain(dpmd)
	net_domain(dpmd)
	allow dpmd {
	dpmd_exec
	system_file
	}:file x_file_perms;

	#allow dpmd to access dpm_data_file
	allow dpmd dpmd_data_file:file create_file_perms;
	allow dpmd dpmd_data_file:dir create_dir_perms;

	#allow dpmd to access qmux radio socket
	qmux_socket(dpmd);

	allow dpmd sysfs_wake_lock:file rw_file_perms;

	#self capability
	allow dpmd self:{
	socket
	netlink_socket
	} rw_socket_perms;

	allow dpmd self:capability {
	setuid
	setgid
	dac_override
	net_raw chown
	fsetid
	net_admin
	sys_module
	};

	#socket, self
	allow dpmd smem_log_device:chr_file rw_file_perms;
	unix_socket_connect(dpmd, property, init)
	wakelock_use(dpmd)

	allow dpmd {
	system_prop
	ctl_default_prop
	}:property_service set;

	#misc.
	allow dpmd shell_exec:file rx_file_perms;

	#permission to unlink dpmwrapper socket
	allow dpmd socket_device:dir remove_name;

	#permission to communicate with cnd_socket for installing iptable rules
	unix_socket_connect(dpmd, cnd, cnd);

	#allow dpmd to create socket
	allow dpmd self:socket create_socket_perms;
	allow dpmd self:netlink_socket create_socket_perms;

	#allow dpmd to write to /proc/net/sys
	allow dpmd proc_net:file write;

	#allow dpmd get appname and use inet socket.
	dpmd_socket_perm(appdomain)
	dpmd_socket_perm(system_server)
	dpmd_socket_perm(mediaserver)
	dpmd_socket_perm(mtp)
	dpmd_socket_perm(wfdservice)
	dpmd_socket_perm(drmserver)

	#explicitly allow udp socket permissions for appdomain
	allow dpmd appdomain:udp_socket rw_socket_perms;