1 type ims, domain, domain_deprecated; 2 type ims_exec, exec_type, file_type; 3 4 # Started by init 5 init_daemon_domain(ims) 6 7 # Uses network sockets 8 net_domain(ims) 9 10 # Grant access to Qualcomm MSM Interface (QMI) radio sockets to ims daemon 11 qmux_socket(ims) 12 13 # Allow ims to communicate with netd. 14 allow ims netd_socket:sock_file write; 15 16 # Allow ims to communicate with cnd. 17 allow ims cnd_socket:sock_file write; 18 19 # Allow ims to communicate with cnd. 20 allow ims cnd:unix_stream_socket connectto; 21 22 # Needed to let ims daemon drop unneeded capabilities and to allow access to 23 # net_bind 24 allow ims self:capability { setpcap setuid net_bind_service }; 25 26 # Allow ims to create and use netlink sockets. 27 allow ims self:netlink_socket create_socket_perms; 28 29 # Allow access to smem log 30 allow ims shared_log_device:chr_file rw_file_perms; 31 32 # ims needs to parse through /proc to obtain pid of netmgrd 33 r_dir_file(ims, netmgrd) 34 35 # b/18352920 suppress denials until the procfs lookup is removed 36 dontaudit ims domain:dir r_dir_perms; 37 38 # Allow ims to create and use socket to communicate between ims processes. 39 allow ims self:socket create_socket_perms; 40 41 # Runs /system/bin/sh for executing ndc commands via popen 42 allow ims shell_exec:file rx_file_perms; 43 44 # Runs /system/bin/ndc 45 allow ims system_file:file rx_file_perms; 46 47 # XXX Run toolbox. Might not be needed. 48 allow ims toolbox_exec:file rx_file_perms; 49 auditallow ims toolbox_exec:file rx_file_perms; 50 51 # Allow ims to tell init to start the ims data service via property=sys.ims.QMI_DAEMON_STATUS 52 set_prop(ims, qcom_ims_prop) 53 allow ims qcom_ims_prop:property_service set; 54 allow ims ims_socket:sock_file write; 55 56 allow ims wpa_socket:sock_file create_file_perms; 57 allow ims wpa_socket:dir rw_dir_perms; 58 59 allow ims wifi_data_file:dir r_dir_perms; 60 61 unix_socket_send(ims, wpa, wpa) 62
