1 type cnd, domain, vendor_executes_system_violators; 2 type cnd_exec, exec_type, vendor_file_type, file_type; 3 4 # cnd creates /dev/socket/nims 5 file_type_auto_trans(cnd, socket_device, cnd_socket); 6 allow cnd socket_device:dir remove_name; 7 8 init_daemon_domain(cnd) 9 net_domain(cnd) 10 wakelock_use(cnd) 11 12 # TODO(b/36576126): Remove this one cnd stops accessing /dev/binder 13 typeattribute cnd binder_in_vendor_violators; 14 15 # do not grant net_raw, net_admin, or dac_override 16 allow cnd self:capability { chown fsetid setgid setuid net_bind_service}; 17 18 # Grant access to Qualcomm MSM Interface (QMI) radio sockets 19 qmux_socket(cnd) 20 21 set_prop(cnd, system_prop) 22 23 allow cnd proc_meminfo:file r_file_perms; 24 allow cnd self:netlink_tcpdiag_socket create_socket_perms_no_ioctl; 25 allow cnd self:socket create_socket_perms; 26 allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls; 27 28 r_dir_file(cnd, sysfs_type) 29 30 userdebug_or_eng(` 31 allow cnd diag_device:chr_file rw_file_perms; 32 ') 33 dontaudit cnd diag_device:chr_file rw_file_perms; 34 35 # use for mobile hostspot 36 allow cnd shell_exec:file rx_file_perms; 37 allow cnd system_file:file rx_file_perms; 38 39 # TODO(b/36613996): Remove this once qcneservice no longer communicates over sockets with cnd 40 # or once qcneservice becomes a vendor service 41 typeattribute cnd socket_between_core_and_vendor_violators; 42
