5c1fe61eaa
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*
Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
25 lines
887 B
Plaintext
25 lines
887 B
Plaintext
# HwBinder IPC from client to server, and callbacks
|
|
binder_call(hal_health_client, hal_health_server)
|
|
binder_call(hal_health_server, hal_health_client)
|
|
|
|
hal_attribute_hwservice(hal_health, hal_health_hwservice)
|
|
|
|
# Common rules for a health service.
|
|
|
|
# Allow to listen to uevents for updates
|
|
allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
|
|
# Allow to read /sys/class/power_supply directory
|
|
allow hal_health_server sysfs:dir r_dir_perms;
|
|
|
|
# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
|
|
# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
|
|
# HAL service.
|
|
r_dir_file(hal_health_server, sysfs_batteryinfo)
|
|
|
|
# Allow to wake up to send periodic events
|
|
wakelock_use(hal_health_server)
|
|
|
|
# Write to /dev/kmsg
|
|
allow hal_health_server kmsg_device:chr_file w_file_perms;
|