1# GceService app 2type gceservice, domain; 3app_domain(gceservice) 4 5# Use system services exposed as part of Android framework public API 6allow gceservice app_api_service:service_manager find; 7 8# Read and write /data/data subdirectory (for its app-private persistent data). 9allow gceservice app_data_file:dir create_dir_perms; 10allow gceservice app_data_file:{ file lnk_file } create_file_perms; 11 12# Write to kernel log (/dev/kmsg) 13allow gceservice kmsg_device:chr_file w_file_perms; 14allow gceservice kmsg_device:chr_file getattr; 15 16# Read tombstone snapshot file 17allow gceservice tombstone_snapshot_file:file r_file_perms; 18# List tombstone files 19allow gceservice tombstone_data_file:dir r_dir_perms; 20allow gceservice tombstone_data_file:file getattr; 21 22# Communicate with GCE Metadata Proxy over Unix domain sockets 23# The proxy process uses the default label ("kernel") because it is 24# started before Android init and thus before SELinux rule are applied. 25# TODO(b/65049764): Update once GCE metadata proxy is moved outside of the emulator or gets labelled 26allow gceservice kernel:unix_stream_socket connectto; 27 28# gceservice writes to /dev/stune/foreground/tasks 29allow gceservice cgroup:file w_file_perms; 30