1# bootstat command 2type bootstat, domain; 3type bootstat_exec, system_file_type, exec_type, file_type; 4 5read_runtime_log_tags(bootstat) 6 7# Allow persistent storage in /data/misc/bootstat. 8allow bootstat bootstat_data_file:dir rw_dir_perms; 9allow bootstat bootstat_data_file:file create_file_perms; 10 11# Collect metrics on boot time created by init 12get_prop(bootstat, boottime_prop) 13 14# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty) 15set_prop(bootstat, bootloader_boot_reason_prop) 16set_prop(bootstat, system_boot_reason_prop) 17set_prop(bootstat, last_boot_reason_prop) 18 19# ToDo: TBI move access for the following to a system health HAL 20 21# Allow access to /sys/fs/pstore/ and syslog 22allow bootstat pstorefs:dir search; 23allow bootstat pstorefs:file r_file_perms; 24allow bootstat kernel:system syslog_read; 25 26# Allow access to reading the logs to read aspects of system health 27read_logd(bootstat) 28 29# Allow bootstat write to statsd. 30unix_socket_send(bootstat, statsdw, statsd) 31 32# ToDo: end 33 34neverallow { 35 domain 36 -bootanim 37 -bootstat 38 -dumpstate 39 -init 40 -recovery 41 -shell 42 -system_server 43} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms; 44# ... and refine, as these components should not set the last boot reason 45neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms; 46 47neverallow { 48 domain 49 -bootstat 50 -init 51 -system_server 52} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set; 53# ... and refine ... for a ro propertly no less ... keep this _tight_ 54neverallow system_server bootloader_boot_reason_prop:property_service set; 55 56neverallow { 57 domain 58 -bootstat 59 -init 60} system_boot_reason_prop:property_service set; 61