blob: ef530e8e14e643c4d4ea2171e15048cbf68195f8
1 | type system_control, domain; |
2 | type system_control_exec, exec_type, vendor_file_type, file_type; |
3 | |
4 | init_daemon_domain(system_control) |
5 | |
6 | allow system_control vndbinder_device:chr_file { read write open ioctl }; |
7 | allow system_control vndservicemanager:binder { call transfer }; |
8 | #allow system_control default_android_vndservice:service_manager { add }; |
9 | |
10 | allow system_control hwservicemanager:binder { call transfer }; |
11 | allow system_control { systemcontrol_hwservice hidl_base_hwservice }:hwservice_manager { add }; |
12 | |
13 | allow system_control self:capability dac_override; |
14 | |
15 | allow system_control sysfs:file rw_file_perms; |
16 | allow system_control sysfs_devices_system_cpu:file rw_file_perms; |
17 | |
18 | allow system_control system_control:netlink_kobject_uevent_socket { create setopt bind read shutdown }; |
19 | allow system_control self:capability { net_admin }; |
20 | |
21 | allow system_control vendor_shell_exec:file execute_no_trans; |
22 | |
23 | #unix_socket_connect(system_control, vold, vold); |
24 | #unix_socket_connect(system_control, property, init); |
25 | |
26 | # Property Service write |
27 | set_prop(system_control, system_prop) |
28 | set_prop(system_control, dhcp_prop) |
29 | set_prop(system_control, net_radio_prop) |
30 | set_prop(system_control, system_radio_prop) |
31 | set_prop(system_control, debug_prop) |
32 | set_prop(system_control, powerctl_prop) |
33 | |
34 | get_prop(system_control, tv_config_prop) |
35 | get_prop(system_control, bcmdl_prop) |
36 | get_prop(system_control, safemode_prop) |
37 | get_prop(system_control, mmc_prop) |
38 | get_prop(system_control, device_logging_prop) |
39 | |
40 | set_prop(system_control, media_prop) |
41 | get_prop(system_control, media_prop) |
42 | get_prop(system_control, aml_display_prop) |
43 | set_prop(system_control, uboot_prop) |
44 | get_prop(system_control, uboot_prop) |
45 | set_prop(system_control, tv_prop) |
46 | get_prop(system_control, tv_prop) |
47 | |
48 | get_prop(system_control, wifi_prop) |
49 | set_prop(system_control, boottime_prop) |
50 | get_prop(system_control, boottime_prop) |
51 | |
52 | #get_prop(system_control, firstboot_prop) |
53 | #get_prop(system_control, serialno_prop) |
54 | set_prop(system_control, overlay_prop) |
55 | get_prop(system_control, overlay_prop) |
56 | set_prop(system_control, net_dns_prop) |
57 | get_prop(system_control, net_dns_prop) |
58 | set_prop(system_control, logpersistd_logging_prop) |
59 | get_prop(system_control, logpersistd_logging_prop) |
60 | set_prop(system_control, hwservicemanager_prop) |
61 | get_prop(system_control, hwservicemanager_prop) |
62 | set_prop(system_control, dumpstate_options_prop) |
63 | get_prop(system_control, dumpstate_options_prop) |
64 | set_prop(system_control, bluetooth_prop) |
65 | get_prop(system_control, bluetooth_prop) |
66 | |
67 | set_prop(system_control, persistent_properties_ready_prop) |
68 | get_prop(system_control, persistent_properties_ready_prop) |
69 | |
70 | # ctl interface |
71 | set_prop(system_control, ctl_default_prop) |
72 | set_prop(system_control, ctl_dhcp_pan_prop) |
73 | set_prop(system_control, ctl_bugreport_prop) |
74 | |
75 | allow system_control block_device:dir r_dir_perms; |
76 | |
77 | allow system_control sysfs_audio_cap:file {open getattr read}; |
78 | allow system_control sysfs_video:file rw_file_perms; |
79 | allow system_control { sysfs_video sysfs_cec sysfs_am_vecm }:dir { search }; |
80 | |
81 | allow system_control app_data_file:file rw_file_perms; |
82 | #allow system_control system_control_service:service_manager add; |
83 | #allow system_control permission_service:service_manager find; |
84 | #allow system_control surfaceflinger_service:service_manager find; |
85 | # Allow system_control to read /proc/pid for all processes |
86 | r_dir_file(system_control, domain) |
87 | r_dir_file(system_control, binderservicedomain) |
88 | r_dir_file(system_control, appdomain) |
89 | r_dir_file(system_control, platform_app) |
90 | |
91 | |
92 | allow system_control appdomain:dir { getattr search }; |
93 | allow system_control appdomain:file { r_file_perms }; |
94 | allow system_control platform_app:dir { search }; |
95 | |
96 | allow system_control param_tv_file:dir { search read write open add_name remove_name rmdir }; |
97 | allow system_control param_tv_file:file { create open read write setattr getattr lock unlink }; |
98 | |
99 | #allow system_control shell_exec:file { execute_no_trans execute open read getattr }; |
100 | allow system_control sysfs_digital_codec:file { read write }; |
101 | #allow system_control system_file:file execute_no_trans; |
102 | |
103 | allow system_control { env_device cri_block_device }:blk_file { getattr read open write }; |
104 | allow system_control self:capability sys_nice; |
105 | |
106 | allow system_control system_app:binder { call }; |
107 | allow system_control droidvold_hwservice:hwservice_manager { find }; |
108 | allow system_control droidvold:binder { call }; |
109 | |
110 | allow system_control { video_device amvecm_device }:chr_file { read write open ioctl getattr }; |
111 | |
112 | allow system_control param_tv_file:dir { write search add_name create }; |
113 | allow system_control param_tv_file:file { create read write open getattr }; |
114 | |
115 | allow system_control vendor_configs_file:file { ioctl lock }; |
116 | allow system_control { sysfs_display_mode sysfs_am_vecm }:file { read write open getattr }; |
117 | |
118 |