Blame - prebuilts/api/29.0/public/iorapd.te - android_system_sepolicy

blob: abf7adbac9cad8d9b35301fb27ebe33e94bb4c53 [file] [log] [blame]

Tri Vo	bc8dc3a	2019-05-26 13:17:08 -0700	[diff] [blame^]	1	# volume manager
				2	type iorapd, domain;
				3	type iorapd_exec, exec_type, file_type, system_file_type;
				4	type iorapd_tmpfs, file_type;
				5
				6	r_dir_file(iorapd, rootfs)
				7
				8	# Allow read/write /proc/sys/vm/drop/caches
				9	allow iorapd proc_drop_caches:file rw_file_perms;
				10
				11	# Give iorapd a place where only iorapd can store files; everyone else is off limits
				12	allow iorapd iorapd_data_file:dir create_dir_perms;
				13	allow iorapd iorapd_data_file:file create_file_perms;
				14
				15	# Allow iorapd to publish a binder service and make binder calls.
				16	binder_use(iorapd)
				17	add_service(iorapd, iorapd_service)
				18
				19	# Allow iorapd to call into the system server so it can check permissions.
				20	binder_call(iorapd, system_server)
				21	allow iorapd permission_service:service_manager find;
				22	# IUserManager
				23	allow iorapd user_service:service_manager find;
				24	# IPackageManagerNative
				25	allow iorapd package_native_service:service_manager find;
				26
				27	# talk to batteryservice
				28	binder_call(iorapd, healthd)
				29
				30	# TODO: does each of the service_manager allow finds above need the binder_call?
				31
				32	# iorapd temporarily changes its priority when running benchmarks
				33	allow iorapd self:global_capability_class_set sys_nice;
				34
				35	# Allow to access Perfetto traced's privileged consumer socket to start/stop
				36	# tracing sessions and read trace data.
				37	unix_socket_connect(iorapd, traced_consumer, traced)
				38
				39	###
				40	### neverallow rules
				41	###
				42
				43	neverallow {
				44	domain
				45	-iorapd
				46	} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
				47
				48	neverallow {
				49	domain
				50	-init
				51	-iorapd
				52	} iorapd_data_file:dir *;
				53
				54	neverallow {
				55	domain
				56	-kernel
				57	-iorapd
				58	} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
				59
				60	neverallow {
				61	domain
				62	-init
				63	-kernel
				64	-vendor_init
				65	-iorapd
				66	} { iorapd_data_file }:notdevfile_class_set *;
				67
				68	# Only system_server can interact with iorapd over binder
				69	neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
				70	neverallow iorapd {
				71	domain
				72	-healthd
				73	-servicemanager
				74	-system_server
				75	userdebug_or_eng(`-su')
				76	}:binder call;
				77
				78	neverallow { domain -init } iorapd:process { transition dyntransition };
				79	neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;