blob: 06464ed0d024cd9b67d8779fcd47243a3c67e339 [file] [log] [blame]
type ims, domain;
type ims_exec, exec_type, file_type;
# Started by init
init_daemon_domain(ims)
# Uses network sockets
net_domain(ims)
# Grant access to Qualcomm MSM Interface (QMI) radio sockets to ims daemon
qmux_socket(ims)
# Allow ims to communicate with netd.
allow ims netd_socket:sock_file write;
# Needed to let ims daemon drop unneeded capabilities and to allow access to
# net_bind
allow ims self:capability { setpcap setuid net_bind_service };
# Allow ims to create and use netlink sockets.
allow ims self:netlink_socket create_socket_perms;
# Allow access to smem log
allow ims shared_log_device:chr_file rw_file_perms;
# ims needs to parse through /proc to obtain pid of netmgrd
r_dir_file(ims, netmgrd)
# b/18352920 suppress denials until the procfs lookup is removed
dontaudit ims domain:dir r_dir_perms;
# Allow ims to create and use socket to communicate between ims processes.
allow ims self:socket create_socket_perms;
# Runs /system/bin/sh for executing ndc commands via popen
allow ims shell_exec:file rx_file_perms;
# Runs /system/bin/ndc
allow ims system_file:file rx_file_perms;
# Talks to init via property socket.
unix_socket_connect(ims, property, init)
# Allow ims to tell init to start the ims data service via property=sys.ims.QMI_DAEMON_STATUS
allow ims qcom_ims_prop:property_service set;