1# healthd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type healthd, domain, domain_deprecated; 4 5# Write to /dev/kmsg 6allow healthd kmsg_device:chr_file rw_file_perms; 7 8# Read access to pseudo filesystems. 9r_dir_file(healthd, sysfs) 10 11allow healthd self:capability { net_admin sys_tty_config }; 12wakelock_use(healthd) 13allow healthd self:netlink_kobject_uevent_socket create_socket_perms; 14binder_use(healthd) 15binder_service(healthd) 16binder_call(healthd, system_server) 17 18# Write to state file. 19# TODO: Split into a separate type? 20allow healthd sysfs:file write; 21 22# TODO: added to match above sysfs rule. Remove me? 23allow healthd sysfs_usb:file write; 24 25allow healthd sysfs_batteryinfo:file r_file_perms; 26 27### 28### healthd: charger mode 29### 30 31# Read /sys/fs/pstore/console-ramoops 32# Don't worry about overly broad permissions for now, as there's 33# only one file in /sys/fs/pstore 34allow healthd pstorefs:dir r_dir_perms; 35allow healthd pstorefs:file r_file_perms; 36 37allow healthd graphics_device:dir r_dir_perms; 38allow healthd graphics_device:chr_file rw_file_perms; 39allow healthd input_device:dir r_dir_perms; 40allow healthd input_device:chr_file r_file_perms; 41allow healthd tty_device:chr_file rw_file_perms; 42allow healthd ashmem_device:chr_file execute; 43allow healthd self:process execmem; 44allow healthd proc_sysrq:file rw_file_perms; 45allow healthd self:capability sys_boot; 46 47allow healthd batteryproperties_service:service_manager { add find }; 48 49# Healthd needs to tell init to continue the boot 50# process when running in charger mode. 51set_prop(healthd, system_prop) 52