device_google_wahoo/sepolicy/location.te

type location, domain;
type location_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(location)

# STOPSHIP b/28340421
# Temporarily grant this permission and log its use.
allow location self:capability { net_admin };
auditallow location self:capability { net_admin };

allow location location_exec:file execute_no_trans;

allow location self:capability { setgid setuid };

allow location proc_net:file r_file_perms;
allow location location_data_file:file w_file_perms;
allow location location_data_file:dir w_dir_perms;
allow location location_data_file:sock_file create_file_perms;

allow location self:netlink_route_socket create_socket_perms_no_ioctl;
allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
allow location self:netlink_socket create_socket_perms_no_ioctl;
allow location self:socket create_socket_perms;
allow location self:udp_socket create_socket_perms;
allow location self:udp_socket create_socket_perms;
allowxperm location self:udp_socket ioctl { SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
allowxperm location self:socket ioctl msm_sock_ipc_ioctls;

# files in /sys
r_dir_file(location, sysfs_type)

userdebug_or_eng(`
permissive location;
')

# TODO(b/34274385): Remove this once Wi-Fi HAL is guaranteed to not be run in passthrough mode
# What's going on here is that Wi-Fi HAL is talking over sockets to location daemon, which is
# permitted. However, those rules target hal_wifi rather than hal_wifi_server and thus are also
# granted to all clients of these HALs (e.g., system_server) which are core components, and
# socket communications between system components and vendor components are not permted.
# Once we switch full Treble devices to binderized only mode, this issue will disappear.
typeattribute location socket_between_core_and_vendor_violators;