typeattribute statsd coredomain; init_daemon_domain(statsd) # Allow to exec the perfetto cmdline client and pass it the trace config on # stdint through a pipe. It allows statsd to capture traces and hand them # to Android dropbox. allow statsd perfetto_exec:file rx_file_perms; domain_auto_trans(statsd, perfetto_exec, perfetto) # Grant statsd with permissions to register the services. allow statsd { statscompanion_service }:service_manager find; # Allow incidentd to obtain the statsd incident section. allow statsd incidentd:fifo_file write; # Allow StatsCompanionService to pipe data to statsd. allow statsd system_server:fifo_file { read write getattr }; # Allow Statsd to pipe data to privileged apps. allow statsd priv_app:fifo_file { read write getattr }; # Allow statsd to retrieve SF statistics over binder binder_call(statsd, surfaceflinger); # Allow statsd to read its system properties get_prop(statsd, device_config_statsd_native_prop) get_prop(statsd, device_config_statsd_native_boot_prop) # Allow statsd to write uprobestats configs. allow statsd uprobestats_configs_data_file:dir rw_dir_perms; allow statsd uprobestats_configs_data_file:file create_file_perms; # Allow statsd to trigger uprobestats via property. set_prop(statsd, uprobestats_start_with_config_prop); binder_use(statsd) # Allow statsd to scan through /proc/pid for all processes. r_dir_file(statsd, domain) # Allow executing files on system, such as running a shell or running: # /system/bin/toolbox # /system/bin/logcat # /system/bin/dumpsys allow statsd devpts:chr_file { getattr ioctl read write }; allow statsd shell_exec:file rx_file_perms; allow statsd system_file:file execute_no_trans; allow statsd toolbox_exec:file rx_file_perms; userdebug_or_eng(` allow statsd su:fifo_file read; ') # Create, read, and write into # /data/misc/stats-active-metric # /data/misc/stats-data # /data/misc/stats-metadata # /data/misc/stats-service # /data/misc/train-info allow statsd stats_data_file:dir create_dir_perms; allow statsd stats_data_file:file create_file_perms; allow statsd stats_config_data_file:dir create_dir_perms; allow statsd stats_config_data_file:file create_file_perms; # Allow statsd to make binder calls to any binder service. binder_call(statsd, appdomain) binder_call(statsd, incidentd) binder_call(statsd, system_server) binder_call(statsd, traced_probes) # Allow statsd to interact with gpuservice allow statsd gpu_service:service_manager find; binder_call(statsd, gpuservice) # Allow statsd to interact with keystore to pull atoms allow statsd keystore_service:service_manager find; binder_call(statsd, keystore) # Allow statsd to interact with mediametrics allow statsd mediametrics_service:service_manager find; binder_call(statsd, mediametrics) # Allow statsd to interact with mediametrics allow statsd mediaserver_service:service_manager find; binder_call(statsd, mediaserver) # Allow logd access. read_logd(statsd) control_logd(statsd) # Grant statsd with permissions to register the services. allow statsd { app_api_service incident_service system_api_service }:service_manager find; # Grant statsd to access health hal to access battery metrics. allow statsd hal_health_hwservice:hwservice_manager find; # Allow statsd to send dump info to dumpstate allow statsd dumpstate:fd use; allow statsd dumpstate:fifo_file { getattr write }; # Allow access to with hardware layer and process stats. allow statsd proc_uid_cputime_showstat:file { getattr open read }; hal_client_domain(statsd, hal_health) hal_client_domain(statsd, hal_power) hal_client_domain(statsd, hal_power_stats) hal_client_domain(statsd, hal_thermal) # Allow 'adb shell cmd' to upload configs and download output. allow statsd adbd:fd use; allow statsd adbd:unix_stream_socket { getattr read write }; allow statsd shell:fifo_file { getattr read write }; unix_socket_send(statsd, statsdw, statsd) ### ### neverallow rules ### # Only statsd and the other root services in limited circumstances. # can get to the files in /data/misc/stats-data, /data/misc/stats-service. # Other services are prohibitted from accessing the file. neverallow { domain -statsd -init -vold } stats_data_file:file *; neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *; # Limited access to the directory itself. neverallow { domain -statsd -init -vold } stats_data_file:dir *; neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;