policy_module(vsomeip, 1.0.0)

# Type of routingmanagerd
type vsomeip_t;
type vsomeip_exec_t;
init_daemon_domain(vsomeip_t, vsomeip_exec_t)

# Type of /run/vsomeip
type vsomeip_var_run_t;
files_base_file(vsomeip_var_run_t);

# Type of /run/vsomeip/vsomeip-0 (routingmanagerd socket)
type router_vsomeip_var_run_t;
files_base_file(router_vsomeip_var_run_t);

# Systemd socket (socket activation)
allow init_t vsomeip_var_run_t:dir { add_name remove_name };
allow init_t router_vsomeip_var_run_t:sock_file { create unlink write setattr };

# Routing manager daemon
allow vsomeip_t self:netlink_route_socket { bind create nlmsg_read shutdown };
allow vsomeip_t self:unix_dgram_socket { create ioctl };
allow vsomeip_t vsomeip_var_run_t:dir { add_name write remove_name };
allow vsomeip_t vsomeip_var_run_t:file { create lock open write unlink };
allow vsomeip_t vsomeip_var_run_t:sock_file write;
allow vsomeip_t router_vsomeip_var_run_t:sock_file setattr;

# Routing manager daemon to unconfined
optional_policy(`
        gen_require(`
                type unconfined_t;
        ')
        allow vsomeip_t unconfined_t:unix_stream_socket connectto;
')

# Containers can talk to each other (and routing manager)
optional_policy(`
        gen_require(`
                type container_t;
        ')
        vsomeip_use(container_t)

        # Containers can talk to unconfined
        optional_policy(`
                gen_require(`
                                type unconfined_t;
                            ')
                vsomeip_talk_to(container_t, unconfined_t)
       ')
')