private/statsd.te - android_system_sepolicy - Gitiles

 type statsd, domain;
 typeattribute statsd coredomain;

 init_daemon_domain(statsd)

 type statsd_exec, exec_type, file_type;
 binder_use(statsd)

 # Allow statsd to scan through /proc/pid for all processes.
 r_dir_file(statsd, domain)

 # Allow executing files on system, such as running a shell or running:
 #   /system/bin/toolbox
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow statsd shell_exec:file rx_file_perms;
 allow statsd system_file:file execute_no_trans;
 allow statsd toolbox_exec:file rx_file_perms;

 # Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
 allow statsd stats_data_file:dir create_dir_perms;
 allow statsd stats_data_file:file create_file_perms;

 # Allow statsd to make binder calls to any binder service.
 binder_call(statsd, appdomain)
 binder_call(statsd, incidentd)
 binder_call(statsd, statscompanion_service)

 # Allow logd access.
 read_logd(statsd)
 control_logd(statsd)

 # Grant statsd with permissions to register the services.
 allow statsd {
   statscompanion_service
   app_api_service
   system_api_service
 }:service_manager find;

 # Only statsd can publish the binder service.
 add_service(statsd, stats_service)

 # Allow pipes from (and only from) stats.
 allow statsd stats:fd use;
 allow statsd stats:fifo_file write;

 # Allow statsd to call back to stats with status updates.
 binder_call(statsd, stats)

 ###
 ### neverallow rules
 ###

 # Only system_server, system_app, and stats command can find the stats service.
 neverallow {
   domain
   -dumpstate
   -shell
   -stats
   -statsd
   -system_app
   -system_server
 } stats_service:service_manager find;

 # Only statsd and the other root services in limited circumstances.
 # can get to the files in /data/misc/stats-data, /data/misc/stats-service.
 # Other services are prohibitted from accessing the file.
 neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;

 # Limited access to the directory itself.
 neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
	type statsd, domain;
	typeattribute statsd coredomain;

	init_daemon_domain(statsd)

	type statsd_exec, exec_type, file_type;
	binder_use(statsd)

	# Allow statsd to scan through /proc/pid for all processes.
	r_dir_file(statsd, domain)

	# Allow executing files on system, such as running a shell or running:
	# /system/bin/toolbox
	# /system/bin/logcat
	# /system/bin/dumpsys
	allow statsd shell_exec:file rx_file_perms;
	allow statsd system_file:file execute_no_trans;
	allow statsd toolbox_exec:file rx_file_perms;

	# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
	allow statsd stats_data_file:dir create_dir_perms;
	allow statsd stats_data_file:file create_file_perms;

	# Allow statsd to make binder calls to any binder service.
	binder_call(statsd, appdomain)
	binder_call(statsd, incidentd)
	binder_call(statsd, statscompanion_service)

	# Allow logd access.
	read_logd(statsd)
	control_logd(statsd)

	# Grant statsd with permissions to register the services.
	allow statsd {
	statscompanion_service
	app_api_service
	system_api_service
	}:service_manager find;

	# Only statsd can publish the binder service.
	add_service(statsd, stats_service)

	# Allow pipes from (and only from) stats.
	allow statsd stats:fd use;
	allow statsd stats:fifo_file write;

	# Allow statsd to call back to stats with status updates.
	binder_call(statsd, stats)

	###
	### neverallow rules
	###

	# Only system_server, system_app, and stats command can find the stats service.
	neverallow {
	domain
	-dumpstate
	-shell
	-stats
	-statsd
	-system_app
	-system_server
	} stats_service:service_manager find;

	# Only statsd and the other root services in limited circumstances.
	# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
	# Other services are prohibitted from accessing the file.
	neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;

	# Limited access to the directory itself.
	neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;