| #dpmd as domain |
| type dpmd, domain, mlstrustedsubject; |
| type dpmd_exec, exec_type, file_type; |
| file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket); |
| init_daemon_domain(dpmd) |
| net_domain(dpmd) |
| allow dpmd { |
| dpmd_exec |
| system_file |
| }:file x_file_perms; |
| |
| #allow dpmd to access dpm_data_file |
| allow dpmd dpmd_data_file:file create_file_perms; |
| allow dpmd dpmd_data_file:dir create_dir_perms; |
| |
| #allow dpmd to access qmux radio socket |
| qmux_socket(dpmd); |
| |
| allow dpmd sysfs_wake_lock:file rw_file_perms; |
| |
| #self capability |
| allow dpmd self:{ |
| socket |
| netlink_socket |
| } rw_socket_perms; |
| |
| allow dpmd self:capability { |
| setuid |
| setgid |
| dac_override |
| net_raw chown |
| fsetid |
| net_admin |
| sys_module |
| }; |
| |
| #socket, self |
| allow dpmd smem_log_device:chr_file rw_file_perms; |
| unix_socket_connect(dpmd, property, init) |
| wakelock_use(dpmd) |
| |
| allow dpmd { |
| system_prop |
| ctl_default_prop |
| }:property_service set; |
| |
| #misc. |
| allow dpmd shell_exec:file rx_file_perms; |
| |
| #permission to unlink dpmwrapper socket |
| allow dpmd socket_device:dir remove_name; |
| |
| #permission to communicate with cnd_socket for installing iptable rules |
| unix_socket_connect(dpmd, cnd, cnd); |
| |
| #allow dpmd to create socket |
| allow dpmd self:socket create_socket_perms; |
| allow dpmd self:netlink_socket create_socket_perms; |
| |
| #allow dpmd to write to /proc/net/sys |
| allow dpmd proc_net:file write; |
| |
| #allow dpmd get appname and use inet socket. |
| dpmd_socket_perm(appdomain) |
| dpmd_socket_perm(system_server) |
| dpmd_socket_perm(mediaserver) |
| dpmd_socket_perm(mtp) |
| dpmd_socket_perm(wfdservice) |
| dpmd_socket_perm(drmserver) |
| |
| #explicitly allow udp socket permissions for appdomain |
| allow dpmd appdomain:udp_socket rw_socket_perms; |