| ynwang | 9fa8823 | 2016-06-17 15:05:10 -0700 | [diff] [blame] | 1 | # storaged daemon |
| ynwang | e68d2d2 | 2016-07-01 12:18:54 -0700 | [diff] [blame^] | 2 | type storaged, domain, mlstrustedsubject; |
| ynwang | 9fa8823 | 2016-06-17 15:05:10 -0700 | [diff] [blame] | 3 | type storaged_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(storaged) |
| 6 | |
| 7 | # Write to /dev/kmsg (opened in init) |
| 8 | allow storaged kmsg_device:chr_file { write append }; |
| 9 | |
| 10 | # Read access to pseudo filesystems |
| 11 | allow storaged proc:dir r_dir_perms; |
| 12 | r_dir_file(storaged, sysfs_type) |
| 13 | r_dir_file(storaged, proc_net) |
| ynwang | e68d2d2 | 2016-07-01 12:18:54 -0700 | [diff] [blame^] | 14 | r_dir_file(storaged, domain) |
| ynwang | 9fa8823 | 2016-06-17 15:05:10 -0700 | [diff] [blame] | 15 | |
| ynwang | e68d2d2 | 2016-07-01 12:18:54 -0700 | [diff] [blame^] | 16 | allow storaged self:capability { setgid setuid sys_nice sys_ptrace }; |
| ynwang | 9fa8823 | 2016-06-17 15:05:10 -0700 | [diff] [blame] | 17 | |
| ynwang | e68d2d2 | 2016-07-01 12:18:54 -0700 | [diff] [blame^] | 18 | userdebug_or_eng(` |
| 19 | # Read access to debugfs |
| 20 | allow storaged debugfs_mmc:dir search; |
| 21 | allow storaged debugfs_mmc:file r_file_perms; |
| 22 | ') |
| ynwang | 9fa8823 | 2016-06-17 15:05:10 -0700 | [diff] [blame] | 23 | |
| ynwang | e68d2d2 | 2016-07-01 12:18:54 -0700 | [diff] [blame^] | 24 | # Binder permissions |
| 25 | allow storaged storaged_service:service_manager add; |
| 26 | binder_use(storaged) |
| 27 | binder_call(storaged, system_server) |
| 28 | |
| 29 | ### |
| 30 | ### neverallow |
| 31 | ### |
| 32 | neverallow storaged domain:process ptrace; |