path: root/sepolicy/ims.te

type ims, domain, device_domain_deprecated;
type ims_exec, exec_type, file_type;

# Started by init
init_daemon_domain(ims)

# Uses network sockets
net_domain(ims)

# Grant access to Qualcomm MSM Interface (QMI) radio sockets to ims daemon
qmux_socket(ims)

# Allow ims to communicate with netd.
allow ims netd_socket:sock_file write;

# Allow ims to communicate with cnd.
allow ims cnd_socket:sock_file write;

# Allow ims to communicate with cnd.
allow ims cnd:unix_stream_socket connectto;

# Needed to let ims daemon drop unneeded capabilities and to allow access to
# net_bind
allow ims self:capability { setpcap setuid net_bind_service };

# Allow ims to create and use netlink sockets.
allow ims self:netlink_socket create_socket_perms_no_ioctl;

# Allow access to smem log
allow ims shared_log_device:chr_file rw_file_perms;

# ims needs to parse through /proc to obtain pid of netmgrd
r_dir_file(ims, netmgrd)

# b/18352920 suppress denials until the procfs lookup is removed
dontaudit ims domain:dir r_dir_perms;

# Allow ims to create and use socket to communicate between ims processes.
allow ims self:socket create_socket_perms;
allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;

# Runs /system/bin/sh for executing ndc commands via popen
allow ims shell_exec:file rx_file_perms;

# Runs /system/bin/ndc
allow ims system_file:file rx_file_perms;

# XXX Run toolbox.  Might not be needed.
allow ims toolbox_exec:file rx_file_perms;
auditallow ims toolbox_exec:file rx_file_perms;

# Allow ims to tell init to start the ims data service via property=sys.ims.QMI_DAEMON_STATUS
set_prop(ims, qcom_ims_prop)
allow ims qcom_ims_prop:property_service set;
allow ims ims_socket:sock_file write;

allow ims wpa_socket:sock_file create_file_perms;
allow ims wpa_socket:dir rw_dir_perms;

allow ims wifi_data_file:dir r_dir_perms;

unix_socket_send(ims, wpa, hal_wifi_supplicant_server)