From 0b2d26de3d6e7fa190b25e91fea92b6a676bbc15 Mon Sep 17 00:00:00 2001
From: Robert Quattlebaum <rquattle@google.com>
Date: Thu, 5 Oct 2017 17:10:24 -0700
Subject: [PATCH] wpantund: Allow wpantund to call callbacks

This change allows wpantund to call any binder callbacks that have
been registered with it. Generally, only privileged apps are allowed
to register callbacks with wpantund, so we are limiting the scope for
callbacks to only privileged apps. We also add shell to allow the
command-line utility `lowpanctl` to work properly from `adb shell`.

Bug: b/67393078
Test: manual
Change-Id: I64c52cc5e202725a81230dc67e1cd7c911cf8e1c
(cherry picked from commit 17319cb35c20e9d7c682948542cf196ee0553f7f)
---
 public/wpantund.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/public/wpantund.te b/public/wpantund.te
index 2993e6d6e..a97481eb2 100644
--- a/public/wpantund.te
+++ b/public/wpantund.te
@@ -10,6 +10,13 @@ binder_call(wpantund, system_server)
 # wpantund needs to be able to check in with the lowpan_service
 allow wpantund lowpan_service:service_manager find;
 
+# Allow wpantund to call any callbacks that have been registered with it.
+# Generally, only privileged apps are able to register callbacks with
+# wpantund, so we are limiting the scope for callbacks to only privileged
+# apps. We also add shell to allow the command-line utility `lowpanctl`
+# to work properly from `adb shell`.
+allow wpantund {priv_app shell}:binder call;
+
 # create sockets to set interfaces up and down, add multicast groups, etc.
 allow wpantund self:udp_socket create_socket_perms;
 
-- 
GitLab