Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / device / qcom / sepolicy / refs/heads/fp2-sibon / . / common / cnd.te
blob: 91bc97d5ea620fb11babc92379a90796cf7e2960 [file] [log] [blame]
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]1#permissive cnd;
2type cnd, domain;
3type cnd_exec, exec_type, file_type;
4file_type_auto_trans(cnd, socket_device, cnd_socket);
5
6# cnd is started by init, type transit from init domain to cnd domain
7init_daemon_domain(cnd)
8# associate netdomain as an attribute of cnd domain
9net_domain(cnd)
10
Biswajit Paul64f83f62014-10-13 14:36:16 -0700[diff] [blame]11allow cnd smem_log_device:chr_file rw_file_perms;
12
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]13# allow cnd the following capability
14allow cnd self:capability { setuid setgid dac_override net_raw chown
15 fsetid net_admin sys_module };
16allow cnd self:capability2 block_suspend;
17
18# socket used to communicate with kernel via the netlink syscall
19allow cnd self:netlink_tcpdiag_socket { bind create write read
Biswajit Paul64f83f62014-10-13 14:36:16 -0700[diff] [blame]20 nlmsg_read getopt};
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]21allow cnd self:netlink_route_socket { read bind create write
22 nlmsg_read };
Boxiang Panbd056452014-10-31 18:01:46 -0700[diff] [blame]23allow cnd self:netlink_socket { create setopt getopt bind getattr write read };
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]24
25# allow cnd to set system property
26allow cnd system_prop:property_service set;
27allow cnd property_socket:sock_file write;
28allow cnd init:unix_stream_socket connectto;
29
30# allow cnd to communicate with wlan driver
31allow cnd kernel:system module_request;
32
33# allow cnd to access cnd_data_file
34allow cnd cnd_data_file:file create_file_perms;
35allow cnd cnd_data_file:sock_file { unlink create setattr };
36allow cnd cnd_data_file:dir { open read write add_name remove_name search };
37
38# allow cnd to access qmux_radio_socket
Biswajit Paul64f83f62014-10-13 14:36:16 -0700[diff] [blame]39qmux_socket(cnd)
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]40
41# cnd access diag_device /dev/diag for logging
42allow cnd diag_device:chr_file { read write open ioctl };
43
44# allow cnd to access wpa_socket
45allow cnd wpa:unix_dgram_socket sendto;
46allow cnd wpa_socket:dir { write remove_name search add_name search };
47allow cnd wpa_socket:sock_file { write create unlink setattr };
48allow cnd wifi_data_file:dir search;
49# allow cnd to obtain wakelock
50allow cnd sysfs_wake_lock:file { open append };
51
52# allow cnd to communicate with all application
53allow cnd appdomain:dir search;
54allow cnd appdomain:fd use;
55allow cnd appdomain:file { read open };
56allow cnd appdomain:tcp_socket rw_socket_perms;
57
58# allow cnd to communicate with system_server
59allow cnd system_server:dir search;
60allow cnd system_server:file { read open };
Sanket Khidkikar8eca1042015-03-10 22:04:54 -0700[diff] [blame]61allow cnd system_server:tcp_socket { write getattr shutdown getopt read bind setopt };
Avijit Kanti Das0196c6a2014-07-23 23:44:35 -0700[diff] [blame]62
63# allow cnd to communicate with mediaserver
64allow cnd mediaserver:dir search;
65allow cnd mediaserver:fd use;
66allow cnd mediaserver:tcp_socket { read write bind getattr shutdown getopt };
67allow cnd mediaserver:file { open read };
68
Nilesh Poddar9f66f8a2015-02-13 18:06:23 -0800[diff] [blame]69# allow cnd to perform socket operation on itself
70allow cnd self:socket create_socket_perms;
71
Boxiang Panc6e7cf62014-10-06 12:00:15 -0700[diff] [blame]72# allow cnd to access ipa_dev
73allow cnd ipa_dev:chr_file r_file_perms;
Boxiang Pan695cae62014-12-23 12:05:45 -0800[diff] [blame]74
Nilesh Poddar9f66f8a2015-02-13 18:06:23 -0800[diff] [blame]75# allow access to nims
76allow cnd socket_device:dir remove_name;