1# healthd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type healthd, domain; 4 5write_klog(healthd) 6# /dev/__null__ created by init prior to policy load, 7# open fd inherited by healthd. 8allow healthd tmpfs:chr_file { read write }; 9 10allow healthd self:capability { net_admin mknod sys_tty_config }; 11wakelock_use(healthd) 12allow healthd self:netlink_kobject_uevent_socket create_socket_perms; 13binder_use(healthd) 14binder_service(healthd) 15binder_call(healthd, system_server) 16 17# Write to state file. 18# TODO: Split into a separate type? 19allow healthd sysfs:file write; 20 21### 22### healthd: charger mode 23### 24 25# Read /sys/fs/pstore/console-ramoops 26# Don't worry about overly broad permissions for now, as there's 27# only one file in /sys/fs/pstore 28allow healthd pstorefs:dir r_dir_perms; 29allow healthd pstorefs:file r_file_perms; 30 31allow healthd graphics_device:dir r_dir_perms; 32allow healthd graphics_device:chr_file rw_file_perms; 33allow healthd input_device:dir r_dir_perms; 34allow healthd input_device:chr_file r_file_perms; 35allow healthd tty_device:chr_file rw_file_perms; 36allow healthd ashmem_device:chr_file execute; 37allow healthd self:process execmem; 38allow healthd proc_sysrq:file rw_file_perms; 39allow healthd self:capability sys_boot; 40 41allow healthd healthd_service:service_manager add; 42 43# Healthd needs to tell init to continue the boot 44# process when running in charger mode. 45unix_socket_connect(healthd, property, init) 46allow healthd system_prop:property_service set; 47