1 # healthd seclabel is specified in init.rc since 2 # it lives in the rootfs and has no unique file type. 3 type healthd, domain; 4 5 # Write to /dev/kmsg 6 allow healthd kmsg_device:chr_file rw_file_perms; 7 8 allow healthd self:capability { net_admin sys_tty_config }; 9 wakelock_use(healthd) 10 allow healthd self:netlink_kobject_uevent_socket create_socket_perms; 11 binder_use(healthd) 12 binder_service(healthd) 13 binder_call(healthd, system_server) 14 15 # Write to state file. 16 # TODO: Split into a separate type? 17 allow healthd sysfs:file write; 18 19 ### 20 ### healthd: charger mode 21 ### 22 23 # Read /sys/fs/pstore/console-ramoops 24 # Don't worry about overly broad permissions for now, as there's 25 # only one file in /sys/fs/pstore 26 allow healthd pstorefs:dir r_dir_perms; 27 allow healthd pstorefs:file r_file_perms; 28 29 allow healthd graphics_device:dir r_dir_perms; 30 allow healthd graphics_device:chr_file rw_file_perms; 31 allow healthd input_device:dir r_dir_perms; 32 allow healthd input_device:chr_file r_file_perms; 33 allow healthd tty_device:chr_file rw_file_perms; 34 allow healthd ashmem_device:chr_file execute; 35 allow healthd self:process execmem; 36 allow healthd proc_sysrq:file rw_file_perms; 37 allow healthd self:capability sys_boot; 38 39 allow healthd healthd_service:service_manager { add find }; 40 41 # Healthd needs to tell init to continue the boot 42 # process when running in charger mode. 43 set_prop(healthd, system_prop) 44
