1type statsd, domain, mlstrustedsubject; 2 3type statsd_exec, system_file_type, exec_type, file_type; 4binder_use(statsd) 5 6# Allow statsd to scan through /proc/pid for all processes. 7r_dir_file(statsd, domain) 8 9# Allow executing files on system, such as running a shell or running: 10# /system/bin/toolbox 11# /system/bin/logcat 12# /system/bin/dumpsys 13allow statsd devpts:chr_file { getattr ioctl read write }; 14allow statsd shell_exec:file rx_file_perms; 15allow statsd system_file:file execute_no_trans; 16allow statsd toolbox_exec:file rx_file_perms; 17 18userdebug_or_eng(` 19 allow statsd su:fifo_file read; 20') 21 22# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system. 23allow statsd stats_data_file:dir create_dir_perms; 24allow statsd stats_data_file:file create_file_perms; 25 26# Allow statsd to make binder calls to any binder service. 27binder_call(statsd, appdomain) 28binder_call(statsd, healthd) 29binder_call(statsd, incidentd) 30binder_call(statsd, system_server) 31 32# Allow statsd to interact with gpuservice 33allow statsd gpu_service:service_manager find; 34binder_call(statsd, gpuservice) 35 36# Allow logd access. 37read_logd(statsd) 38control_logd(statsd) 39 40# Grant statsd with permissions to register the services. 41allow statsd { 42 app_api_service 43 incident_service 44 system_api_service 45}:service_manager find; 46 47# Grant statsd to access health hal to access battery metrics. 48allow statsd hal_health_hwservice:hwservice_manager find; 49 50# Allow statsd to send dump info to dumpstate 51allow statsd dumpstate:fd use; 52allow statsd dumpstate:fifo_file { getattr write }; 53 54# Allow access to with hardware layer and process stats. 55allow statsd proc_uid_cputime_showstat:file { getattr open read }; 56hal_client_domain(statsd, hal_health) 57hal_client_domain(statsd, hal_power) 58hal_client_domain(statsd, hal_power_stats) 59hal_client_domain(statsd, hal_thermal) 60 61# Allow 'adb shell cmd' to upload configs and download output. 62allow statsd adbd:fd use; 63allow statsd adbd:unix_stream_socket { getattr read write }; 64allow statsd shell:fifo_file { getattr read write }; 65 66unix_socket_send(statsd, statsdw, statsd) 67 68### 69### neverallow rules 70### 71 72# Only statsd and the other root services in limited circumstances. 73# can get to the files in /data/misc/stats-data, /data/misc/stats-service. 74# Other services are prohibitted from accessing the file. 75neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *; 76 77# Limited access to the directory itself. 78neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *; 79