1# volume manager 2type iorap_prefetcherd, domain; 3type iorap_prefetcherd_exec, exec_type, file_type, system_file_type; 4type iorap_prefetcherd_tmpfs, file_type; 5 6r_dir_file(iorap_prefetcherd, rootfs) 7 8# Allow read/write /proc/sys/vm/drop/caches 9allow iorap_prefetcherd proc_drop_caches:file rw_file_perms; 10 11# iorap_prefetcherd temporarily changes its priority when running benchmarks 12allow iorap_prefetcherd self:global_capability_class_set sys_nice; 13 14# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters). 15allow iorap_prefetcherd iorapd:fd use; 16allow iorap_prefetcherd iorapd:fifo_file { read write }; 17 18# Allow reading most files under / ignoring usual access controls. 19allow iorap_prefetcherd self:capability dac_read_search; 20 21typeattribute iorap_prefetcherd mlstrustedsubject; 22 23# Grant logcat access 24allow iorap_prefetcherd logcat_exec:file { open read }; 25 26# Grant access to open most of the files under / 27allow iorap_prefetcherd apk_data_file:dir { open read search }; 28allow iorap_prefetcherd apk_data_file:file { open read }; 29allow iorap_prefetcherd app_data_file:dir { open read search }; 30allow iorap_prefetcherd app_data_file:file { open read }; 31allow iorap_prefetcherd dalvikcache_data_file:dir { open read search }; 32allow iorap_prefetcherd dalvikcache_data_file:file{ open read }; 33allow iorap_prefetcherd packages_list_file:dir { open read search }; 34allow iorap_prefetcherd packages_list_file:file { open read }; 35allow iorap_prefetcherd privapp_data_file:dir { open read search }; 36allow iorap_prefetcherd privapp_data_file:file { open read }; 37allow iorap_prefetcherd same_process_hal_file:dir{ open read search }; 38allow iorap_prefetcherd same_process_hal_file:file { open read }; 39allow iorap_prefetcherd system_data_file:dir { open read search }; 40allow iorap_prefetcherd system_data_file:file { open read }; 41allow iorap_prefetcherd system_data_file:lnk_file { open read }; 42allow iorap_prefetcherd user_profile_data_file:dir { open read search }; 43allow iorap_prefetcherd user_profile_data_file:file { open read }; 44allow iorap_prefetcherd vendor_overlay_file:dir { open read search }; 45allow iorap_prefetcherd vendor_overlay_file:file { open read }; 46# Note: Do not add any /vendor labels because they can be customized 47# by the vendor and we won't know about them beforehand. 48 49### 50### neverallow rules 51### 52 53neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition }; 54neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *; 55