8599e34b95
Introduce wakelock_use(). This macro declares that a domain uses wakelocks. Wakelocks require both read-write access to files in /sys/power, and CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and file access are granted at the same time. Still TODO: fix device specific wakelock use. Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
35 lines
1.1 KiB
Text
35 lines
1.1 KiB
Text
# healthd seclabel is specified in init.rc since
|
|
# it lives in the rootfs and has no unique file type.
|
|
type healthd, domain;
|
|
|
|
allow healthd rootfs:file { read entrypoint };
|
|
write_klog(healthd)
|
|
# /dev/__null__ created by init prior to policy load,
|
|
# open fd inherited by healthd.
|
|
allow healthd tmpfs:chr_file { read write };
|
|
|
|
allow healthd self:capability { net_admin mknod sys_tty_config };
|
|
wakelock_use(healthd)
|
|
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
|
|
binder_use(healthd)
|
|
binder_service(healthd)
|
|
binder_call(healthd, system_server)
|
|
|
|
# Write to state file.
|
|
# TODO: Split into a separate type?
|
|
allow healthd sysfs:file write;
|
|
|
|
###
|
|
### healthd: charger mode
|
|
###
|
|
|
|
allow healthd adf_device:chr_file rw_file_perms;
|
|
allow healthd graphics_device:dir r_dir_perms;
|
|
allow healthd graphics_device:chr_file rw_file_perms;
|
|
allow healthd input_device:dir r_dir_perms;
|
|
allow healthd input_device:chr_file r_file_perms;
|
|
allow healthd tty_device:chr_file rw_file_perms;
|
|
allow healthd ashmem_device:chr_file execute;
|
|
allow healthd self:process execmem;
|
|
allow healthd proc_sysrq:file rw_file_perms;
|
|
allow healthd self:capability sys_boot;
|