tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/healthd.te
Nick Kralevich b192f0e7c7 drop "allow healthd self:process execmem;" 
The execmem capability indicates that the processes creates anonymous
executable memory, which is most commonly used for JITing functionality.
All of the healthd executable code comes from the filesystem, and
healthd does not rely on JITing or loading code from non-file based
sources, so this permission is unnecessary.

Bug: 32659667
Test: compiles and boots
Change-Id: Ifb2b68625b191cb002dbb134cace6ddd215236e8
2019-05-23 11:17:21 -07:00

56 lines
1.8 KiB
Text
Raw Blame History

# healthd - battery/charger monitoring service daemon
type healthd, domain;
type healthd_exec, system_file_type, exec_type, file_type;
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
allow healthd sysfs_type:dir search;
# Allow to read /sys/class/power_supply directory.
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
dontaudit healthd self:global_capability_class_set sys_resource;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
wakelock_use(healthd)
hal_client_domain(healthd, hal_health)
# Read/write to /sys/power/state
allow healthd sysfs_power:file rw_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow healthd sysfs_usb:file write;
r_dir_file(healthd, sysfs_batteryinfo)
###
### healthd: charger mode
###
# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
# only one file in /sys/fs/pstore
allow healthd pstorefs:dir r_dir_perms;
allow healthd pstorefs:file r_file_perms;
allow healthd graphics_device:dir r_dir_perms;
allow healthd graphics_device:chr_file rw_file_perms;
allow healthd input_device:dir r_dir_perms;
allow healthd input_device:chr_file r_file_perms;
allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
allow healthd proc_sysrq:file rw_file_perms;
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
set_prop(healthd, system_prop)
set_prop(healthd, exported_system_prop)
set_prop(healthd, exported2_system_prop)
set_prop(healthd, exported3_system_prop)
Reference in a new issue View git blame Copy permalink