1# volume manager 2type iorapd, domain; 3type iorapd_exec, exec_type, file_type, system_file_type; 4type iorapd_tmpfs, file_type; 5 6r_dir_file(iorapd, rootfs) 7 8# Allow read/write /proc/sys/vm/drop/caches 9allow iorapd proc_drop_caches:file rw_file_perms; 10 11# Give iorapd a place where only iorapd can store files; everyone else is off limits 12allow iorapd iorapd_data_file:dir create_dir_perms; 13allow iorapd iorapd_data_file:file create_file_perms; 14 15# Allow iorapd to publish a binder service and make binder calls. 16binder_use(iorapd) 17add_service(iorapd, iorapd_service) 18 19# Allow iorapd to call into the system server so it can check permissions. 20binder_call(iorapd, system_server) 21allow iorapd permission_service:service_manager find; 22# IUserManager 23allow iorapd user_service:service_manager find; 24# IPackageManagerNative 25allow iorapd package_native_service:service_manager find; 26 27# talk to batteryservice 28binder_call(iorapd, healthd) 29 30# TODO: does each of the service_manager allow finds above need the binder_call? 31 32# iorapd temporarily changes its priority when running benchmarks 33allow iorapd self:global_capability_class_set sys_nice; 34 35# Allow to access Perfetto traced's privileged consumer socket to start/stop 36# tracing sessions and read trace data. 37unix_socket_connect(iorapd, traced_consumer, traced) 38 39### 40### neverallow rules 41### 42 43neverallow { 44 domain 45 -iorapd 46} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 47 48neverallow { 49 domain 50 -init 51 -iorapd 52} iorapd_data_file:dir *; 53 54neverallow { 55 domain 56 -kernel 57 -iorapd 58} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr }; 59 60neverallow { 61 domain 62 -init 63 -kernel 64 -vendor_init 65 -iorapd 66} { iorapd_data_file }:notdevfile_class_set *; 67 68# Only system_server can interact with iorapd over binder 69neverallow { domain -system_server -iorapd } iorapd_service:service_manager find; 70neverallow iorapd { 71 domain 72 -healthd 73 -servicemanager 74 -system_server 75 userdebug_or_eng(`-su') 76}:binder call; 77 78neverallow { domain -init } iorapd:process { transition dyntransition }; 79neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *; 80