| # storaged daemon |
| type storaged, domain, coredomain, mlstrustedsubject; |
| type storaged_exec, exec_type, file_type; |
| |
| init_daemon_domain(storaged) |
| |
| # Read access to pseudo filesystems |
| r_dir_file(storaged, sysfs_type) |
| r_dir_file(storaged, proc_net) |
| r_dir_file(storaged, domain) |
| |
| # Read /proc/uid_io/stats |
| allow storaged proc_uid_io_stats:file r_file_perms; |
| |
| # Read /data/system/packages.list |
| allow storaged system_data_file:file r_file_perms; |
| |
| userdebug_or_eng(` |
| # Read access to debugfs |
| allow storaged debugfs_mmc:dir search; |
| allow storaged debugfs_mmc:file r_file_perms; |
| ') |
| |
| # Needed to provide debug dump output via dumpsys pipes. |
| allow storaged shell:fd use; |
| allow storaged shell:fifo_file write; |
| |
| # Binder permissions |
| add_service(storaged, storaged_service) |
| |
| binder_use(storaged) |
| binder_call(storaged, system_server) |
| |
| # use batteryproperties service |
| allow storaged batteryproperties_service:service_manager find; |
| binder_call(storaged, healthd) |
| |
| # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is |
| # running as root. See b/35323867 #3. |
| dontaudit storaged self:capability dac_override; |
| |
| ### |
| ### neverallow |
| ### |
| neverallow storaged domain:process ptrace; |
| neverallow storaged self:capability_class_set *; |