1type lpdumpd, domain, coredomain; 2type lpdumpd_exec, system_file_type, exec_type, file_type; 3 4init_daemon_domain(lpdumpd) 5 6# Allow lpdumpd to register itself as a service. 7binder_use(lpdumpd) 8add_service(lpdumpd, lpdump_service) 9 10# Allow lpdumpd to find the super partition block device. 11allow lpdumpd block_device:dir r_dir_perms; 12 13# Allow lpdumpd to read super partition metadata. 14allow lpdumpd super_block_device_type:blk_file r_file_perms; 15 16# Allow lpdumpd to read fstab. 17allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms; 18allow lpdumpd sysfs_dt_firmware_android:file r_file_perms; 19 20# Triggered when lpdumpd tries to read default fstab. 21dontaudit lpdumpd metadata_file:dir r_dir_perms; 22dontaudit lpdumpd metadata_file:file r_file_perms; 23dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms; 24dontaudit lpdumpd gsi_metadata_file:file r_file_perms; 25 26### Neverallow rules 27 28# Disallow other domains to get lpdump_service and call lpdumpd. 29neverallow { 30 domain 31 -dumpstate 32 -lpdumpd 33 -shell 34} lpdump_service:service_manager find; 35 36neverallow { 37 domain 38 -dumpstate 39 -lpdumpd 40 -shell 41} lpdumpd:binder call; 42