f90c41f6e8
Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
36 lines
1.1 KiB
Text
36 lines
1.1 KiB
Text
# healthd seclabel is specified in init.rc since
|
|
# it lives in the rootfs and has no unique file type.
|
|
type healthd, domain;
|
|
|
|
allow healthd rootfs:file { read entrypoint };
|
|
write_klog(healthd)
|
|
# /dev/__null__ created by init prior to policy load,
|
|
# open fd inherited by healthd.
|
|
allow healthd tmpfs:chr_file { read write };
|
|
|
|
allow healthd self:capability { net_admin mknod sys_tty_config };
|
|
wakelock_use(healthd)
|
|
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
|
|
binder_use(healthd)
|
|
binder_service(healthd)
|
|
binder_call(healthd, system_server)
|
|
|
|
# Write to state file.
|
|
# TODO: Split into a separate type?
|
|
allow healthd sysfs:file write;
|
|
|
|
###
|
|
### healthd: charger mode
|
|
###
|
|
|
|
allow healthd graphics_device:dir r_dir_perms;
|
|
allow healthd graphics_device:chr_file rw_file_perms;
|
|
allow healthd input_device:dir r_dir_perms;
|
|
allow healthd input_device:chr_file r_file_perms;
|
|
allow healthd tty_device:chr_file rw_file_perms;
|
|
allow healthd ashmem_device:chr_file execute;
|
|
allow healthd self:process execmem;
|
|
allow healthd proc_sysrq:file rw_file_perms;
|
|
allow healthd self:capability sys_boot;
|
|
|
|
allow healthd healthd_service:service_manager add;
|