1 # healthd seclabel is specified in init.rc since 2 # it lives in the rootfs and has no unique file type. 3 type healthd, domain; 4 5 write_klog(healthd) 6 # /dev/__null__ created by init prior to policy load, 7 # open fd inherited by healthd. 8 allow healthd tmpfs:chr_file { read write }; 9 10 allow healthd self:capability { net_admin mknod sys_tty_config }; 11 wakelock_use(healthd) 12 allow healthd self:netlink_kobject_uevent_socket create_socket_perms; 13 binder_use(healthd) 14 binder_service(healthd) 15 binder_call(healthd, system_server) 16 17 # Write to state file. 18 # TODO: Split into a separate type? 19 allow healthd sysfs:file write; 20 21 ### 22 ### healthd: charger mode 23 ### 24 25 # Read /sys/fs/pstore/console-ramoops 26 # Don't worry about overly broad permissions for now, as there's 27 # only one file in /sys/fs/pstore 28 allow healthd pstorefs:dir r_dir_perms; 29 allow healthd pstorefs:file r_file_perms; 30 31 allow healthd graphics_device:dir r_dir_perms; 32 allow healthd graphics_device:chr_file rw_file_perms; 33 allow healthd input_device:dir r_dir_perms; 34 allow healthd input_device:chr_file r_file_perms; 35 allow healthd tty_device:chr_file rw_file_perms; 36 allow healthd ashmem_device:chr_file execute; 37 allow healthd self:process execmem; 38 allow healthd proc_sysrq:file rw_file_perms; 39 allow healthd self:capability sys_boot; 40 41 allow healthd healthd_service:service_manager add; 42 43 # Healthd needs to tell init to continue the boot 44 # process when running in charger mode. 45 unix_socket_connect(healthd, property, init) 46 allow healthd system_prop:property_service set; 47
