platform_system_sepolicy/public/bootstat.te
Inseob Kim 55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00

32 lines
949 B
Text

# bootstat command
type bootstat, domain;
type bootstat_exec, system_file_type, exec_type, file_type;
read_runtime_log_tags(bootstat)
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
allow bootstat metadata_file:dir search;
allow bootstat metadata_bootstat_file:dir rw_dir_perms;
allow bootstat metadata_bootstat_file:file create_file_perms;
# ToDo: TBI move access for the following to a system health HAL
# Allow access to /sys/fs/pstore/ and syslog
allow bootstat pstorefs:dir search;
allow bootstat pstorefs:file r_file_perms;
allow bootstat kernel:system syslog_read;
# Allow access to reading the logs to read aspects of system health
read_logd(bootstat)
# Allow bootstat write to statsd.
unix_socket_send(bootstat, statsdw, statsd)
neverallow {
domain
-bootstat
-init
} system_boot_reason_prop:property_service set;