1type statsd, domain, mlstrustedsubject; 2 3type statsd_exec, system_file_type, exec_type, file_type; 4binder_use(statsd) 5 6# Allow statsd to scan through /proc/pid for all processes. 7r_dir_file(statsd, domain) 8 9# Allow executing files on system, such as running a shell or running: 10# /system/bin/toolbox 11# /system/bin/logcat 12# /system/bin/dumpsys 13allow statsd devpts:chr_file { getattr ioctl read write }; 14allow statsd shell_exec:file rx_file_perms; 15allow statsd system_file:file execute_no_trans; 16allow statsd toolbox_exec:file rx_file_perms; 17 18userdebug_or_eng(` 19 allow statsd su:fifo_file read; 20') 21 22# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system. 23allow statsd stats_data_file:dir create_dir_perms; 24allow statsd stats_data_file:file create_file_perms; 25 26# Allow statsd to make binder calls to any binder service. 27binder_call(statsd, appdomain) 28binder_call(statsd, healthd) 29binder_call(statsd, incidentd) 30userdebug_or_eng(` 31 binder_call(statsd, perfprofd) 32') 33binder_call(statsd, system_server) 34 35# Allow statsd to interact with gpuservice 36allow statsd gpu_service:service_manager find; 37binder_call(statsd, gpuservice) 38 39# Allow logd access. 40read_logd(statsd) 41control_logd(statsd) 42 43# Grant statsd with permissions to register the services. 44allow statsd { 45 app_api_service 46 incident_service 47 userdebug_or_eng(` 48 perfprofd_service 49 ') 50 system_api_service 51}:service_manager find; 52 53# Grant statsd to access health hal to access battery metrics. 54allow statsd hal_health_hwservice:hwservice_manager find; 55 56# Allow statsd to send dump info to dumpstate 57allow statsd dumpstate:fd use; 58allow statsd dumpstate:fifo_file { getattr write }; 59 60# Allow access to with hardware layer and process stats. 61allow statsd proc_uid_cputime_showstat:file { getattr open read }; 62hal_client_domain(statsd, hal_health) 63hal_client_domain(statsd, hal_power) 64hal_client_domain(statsd, hal_power_stats) 65hal_client_domain(statsd, hal_thermal) 66 67# Allow 'adb shell cmd' to upload configs and download output. 68allow statsd adbd:fd use; 69allow statsd adbd:unix_stream_socket { getattr read write }; 70allow statsd shell:fifo_file { getattr read write }; 71 72unix_socket_send(statsd, statsdw, statsd) 73 74### 75### neverallow rules 76### 77 78# Only statsd and the other root services in limited circumstances. 79# can get to the files in /data/misc/stats-data, /data/misc/stats-service. 80# Other services are prohibitted from accessing the file. 81neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *; 82 83# Limited access to the directory itself. 84neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *; 85