1 # healthd seclabel is specified in init.rc since 2 # it lives in the rootfs and has no unique file type. 3 type healthd, domain, domain_deprecated; 4 5 # Write to /dev/kmsg 6 allow healthd kmsg_device:chr_file rw_file_perms; 7 8 # Read access to pseudo filesystems. 9 r_dir_file(healthd, sysfs) 10 11 allow healthd self:capability { net_admin sys_tty_config }; 12 wakelock_use(healthd) 13 allow healthd self:netlink_kobject_uevent_socket create_socket_perms; 14 binder_use(healthd) 15 binder_service(healthd) 16 binder_call(healthd, system_server) 17 18 # Write to state file. 19 # TODO: Split into a separate type? 20 allow healthd sysfs:file write; 21 22 # TODO: added to match above sysfs rule. Remove me? 23 allow healthd sysfs_usb:file write; 24 25 allow healthd sysfs_batteryinfo:file r_file_perms; 26 27 ### 28 ### healthd: charger mode 29 ### 30 31 # Read /sys/fs/pstore/console-ramoops 32 # Don't worry about overly broad permissions for now, as there's 33 # only one file in /sys/fs/pstore 34 allow healthd pstorefs:dir r_dir_perms; 35 allow healthd pstorefs:file r_file_perms; 36 37 allow healthd graphics_device:dir r_dir_perms; 38 allow healthd graphics_device:chr_file rw_file_perms; 39 allow healthd input_device:dir r_dir_perms; 40 allow healthd input_device:chr_file r_file_perms; 41 allow healthd tty_device:chr_file rw_file_perms; 42 allow healthd ashmem_device:chr_file execute; 43 allow healthd self:process execmem; 44 allow healthd proc_sysrq:file rw_file_perms; 45 allow healthd self:capability sys_boot; 46 47 allow healthd batteryproperties_service:service_manager { add find }; 48 49 # Healthd needs to tell init to continue the boot 50 # process when running in charger mode. 51 set_prop(healthd, system_prop) 52
